CVE-2025-53367: DjVuLibre Vulnerability Opens Path to Linux Desktop Code Execution, PoC Available!

A newly discovered critical vulnerability in DjVuLibre, the open-source decoder for DjVu document files, has opened the door to remote code execution attacks on Linux desktop environments. The flaw, tracked as CVE-2025-53367 and scoring CVSS 8.4, stems from an out-of-bounds write in the MMRDecoder::scanruns method.

DjVuLibre might not be a household name, but its presence is widespread. As the report highlights:

“DjVu is a document file format that can be used for similar purposes to PDF. It is supported by Evince and Papers, the default document viewers on many Linux distributions.”

Even more concerning is the fact that DjVu files can be disguised as PDFs:

“Even when a DjVu file is given a filename with a .pdf extension, Evince/Papers will automatically detect that it is a DjVu document and run DjVuLibre to decode it.”

This means unsuspecting users may open what appears to be a safe PDF, only to trigger a hidden exploit.

Security researcher Antonio discovered the vulnerability through fuzzing techniques while researching the Evince reader. The exploit was later weaponized into a working proof-of-concept (PoC) by Kev, who demonstrated its effectiveness on an up-to-date Ubuntu 25.04 system with all standard security protections enabled.

The report explains:

“Kev clicks on a malicious DjVu document in his ~/Downloads directory. The file is named poc.pdf, but it’s actually in DjVu format… The default document viewer detects it as DjVu and uses DjVuLibre to decode it. The file exploits the OOB write vulnerability and triggers a call to system(“google-chrome https://www.youtube.com/…”). Rick Astley appears.”

“The AppArmor profile prohibits you from starting an arbitrary process but makes an exception for google-chrome… So it was easier to play a YouTube video than pop a calculator.”

Still, researchers warn that the AppArmor profile is “not particularly restrictive”. While it blocks execution of obvious payloads like /usr/bin/gnome-calculator, it allows arbitrary file writes to the user’s home directory. This leaves room for escalation and persistence strategies.

At the heart of CVE-2025-53367 is a lack of boundary checks on two buffer pointers, pr and xr, which are used in the decoding process:

*xr = rle; xr++;
*xr = inc + rle - a0; xr++;

“The scanruns method does not check that those pointers remain within the bounds of the allocated buffers… This can lead to writes beyond the allocated memory, resulting in a heap corruption condition.”

Notably, both out-of-bounds writes and reads are possible, amplifying the risk of memory corruption and arbitrary code execution.

The bug has been responsibly disclosed and patched in DjVuLibre v3.5.29. All users and Linux distributions are urged to upgrade immediately. Popular platforms like Evince and Papers that integrate DjVuLibre should roll out updates swiftly to avoid widespread exposure.

Related Posts:

• Malicious PDFs Used in Large-Scale Phishing Operation
• MediaTek’s April 2025 Security Bulletin: Critical WLAN Vulnerability Exposes Chipsets
• Fake CAPTCHA Phishing Campaign Impacts Over 1,150 Organizations
• Malware Hiding in PDFs: What You Need to Know
• Microsoft has published the Windows Desktop Program