CVE-2025-53367: An exploitable out-of-bounds write in DjVuLibre

DjVuLibre version 3.5.29 was released to fix a critical out-of-bounds write vulnerability (CVE-2025-53367) in the MMRDecoder::scanruns method, which could allow remote code execution when a crafted DjVu document is opened on Linux systems. This vulnerability was discovered using fuzzing by Antonio Morales and further explored by Kevin Backhouse, who developed a proof of concept exploit demonstrating how a malicious DjVu file, disguised with a .pdf extension, could exploit the flaw to open a YouTube video in Google Chrome on an up-to-date Ubuntu 25.04 system. The exploit leverages a weakness in the AppArmor profile that allows certain processes, like launching Google Chrome, while generally restricting arbitrary process execution. Despite its occasional unreliability, the exploit raises concerns about potential security breaches, as it bypasses Address Space Layout Randomization (ASLR) and could lead to heap corruption due to unchecked pointer operations in the MMRDecoder's buffer management. The swift response by Léon Bottou and Bill Riemers in releasing a patch demonstrates an effective collaboration between security researchers and software maintainers in addressing open-source vulnerabilities.