CVE-2024-12647

CVE-2024-12647 is a buffer overflow vulnerability (CWE-787) in the CPCA font download processing component of certain Canon Small Office Multifunction Printers and Laser Printers. It affects Satera MF656Cdw and MF654Cdw (Japan), Color imageCLASS MF656Cdw, MF654Cdw, MF653Cdw, MF652Cdw, LBP633Cdw, and LBP632Cdw (US), and i-SENSYS MF657Cdw, MF655Cdw, MF651Cdw, LBP633Cdw, and LBP631Cdw (Europe), all running firmware version v05.04 and earlier. The vulnerability carries a CVSS v3.1 base score of 9.8, reflecting its critical severity.

An unauthenticated attacker on the same network segment can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation may cause the affected printer to become unresponsive (denial of service) or allow execution of arbitrary code, potentially compromising the device's integrity, confidentiality, and availability.

Canon has published advisories detailing responses to this vulnerability, including measures against the buffer overflow. Relevant support information is available at https://canon.jp/support/support-info/250127vulnerability-response, https://psirt.canon/advisory-information/cp2025-001/, https://www.canon-europe.com/support/product-security/#news, and https://www.usa.canon.com/support/canon-product-advisories/service-notice-regarding-vulnerability-measure-against-buffer-overflow-for-laser-printers-and-small-office-multifunctional-printers.