CVE-2025-14236 - Vulnerability Details

Buffer overflow in Address Book attribute tag processing on Small Office Multifunction Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code. *: Satera LBP670C Series/Satera MF750C Series firmware v06.02 and earlier sold in Japan.Color imageCLASS LBP630C/Color imageCLASS MF650C Series/imageCLASS LBP230 Series/imageCLASS X LBP1238 II/imageCLASS MF450 Series/imageCLASS X MF1238 II/imageCLASS X MF1643i II/imageCLASS X MF1643iF II firmware v06.02 and earlier sold in US.i-SENSYS LBP630C Series/i-SENSYS MF650C Series/i-SENSYS LBP230 Series/1238P II/1238Pr II/i-SENSYS MF450 Series/i-SENSYS MF550 Series/1238i II/1238iF II/imageRUNNER 1643i II/imageRUNNER 1643iF II firmware v06.02 and earlier sold in Europe.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact total

Vendors	Products
Canon	1238i Ii 1238if Ii 1238p Ii 1238pr Ii Color Imageclass Lbp630c Color Imageclass Mf650c I-sensys Lbp230 I-sensys Lbp630c I-sensys Mf450 I-sensys Mf550 I-sensys Mf650c Imageclass Lbp230 Imageclass Mf450 Imageclass X Lbp1238 Ii Imageclass X Mf1238 Ii Imageclass X Mf1643i Ii Imageclass X Mf1643if Ii Imagerunner 1643i Ii Imagerunner 1643if Ii Lbp1238 Ii Lbp1238 Ii Firmware Lbp236dw Lbp236dw Firmware Lbp237dw Lbp237dw Firmware Lbp632cdw Lbp632cdw Firmware Lbp633cdw Lbp633cdw Firmware Mf1238 Ii Mf1238 Ii Firmware Mf1643i Ii Mf1643i Ii Firmware Mf1643if Ii Mf1643if Ii Firmware Mf451dw Mf451dw Firmware Mf452dw Mf452dw Firmware Mf453dw Mf453dw Firmware Mf455dw Mf455dw Firmware Mf652cdw Mf652cw Firmware Mf653cdw Mf653cdw Firmware Mf654cdw Mf654cdw Firmware Mf656cdw Mf656cdw Firmware Satera Lbp670c Satera Mf750c

Configuration 1 [-]

AND

cpe:2.3:o:canon:mf455dw_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:canon:mf455dw:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:canon:mf453dw_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:canon:mf453dw:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:canon:mf452dw_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:canon:mf452dw:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:canon:mf451dw_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:canon:mf451dw:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND

cpe:2.3:o:canon:mf654cdw_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:canon:mf654cdw:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND

cpe:2.3:o:canon:mf656cdw_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:canon:mf656cdw:-:*:*:*:*:*:*:*

Configuration 7 [-]

AND

cpe:2.3:o:canon:mf653cdw_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:canon:mf653cdw:-:*:*:*:*:*:*:*

Configuration 8 [-]

AND

cpe:2.3:o:canon:mf652cw_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:canon:mf652cdw:-:*:*:*:*:*:*:*

Configuration 9 [-]

AND

cpe:2.3:o:canon:mf1238_ii_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:canon:mf1238_ii:-:*:*:*:*:*:*:*

Configuration 10 [-]

AND

cpe:2.3:o:canon:mf1643if_ii_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:canon:mf1643if_ii:-:*:*:*:*:*:*:*

Configuration 11 [-]

AND

cpe:2.3:o:canon:mf1643i_ii_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:canon:mf1643i_ii:-:*:*:*:*:*:*:*

Configuration 12 [-]

AND

cpe:2.3:o:canon:lbp237dw_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:canon:lbp237dw:-:*:*:*:*:*:*:*

Configuration 13 [-]

AND

cpe:2.3:o:canon:lbp236dw_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:canon:lbp236dw:-:*:*:*:*:*:*:*

Configuration 14 [-]

AND

cpe:2.3:o:canon:lbp633cdw_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:canon:lbp633cdw:-:*:*:*:*:*:*:*

Configuration 15 [-]

AND

cpe:2.3:o:canon:lbp632cdw_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:canon:lbp632cdw:-:*:*:*:*:*:*:*

Configuration 16 [-]

AND

cpe:2.3:o:canon:lbp1238_ii_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:canon:lbp1238_ii:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://canon.jp/support/support-info/260115vulnerability-response
https://psirt.canon/advisory-information/cp2026-001/
https://www.canon-europe.com/support/product-security/
https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Remediation-Measure-Against-Potential-Buffer-Overflow-Vulnerability-in-Laser-Printers-and-Small-Office-Multifunctional-Printers

History

Mon, 26 Jan 2026 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Canon lbp1238 Ii Canon lbp1238 Ii Firmware Canon lbp236dw Canon lbp236dw Firmware Canon lbp237dw Canon lbp237dw Firmware Canon lbp632cdw Canon lbp632cdw Firmware Canon lbp633cdw Canon lbp633cdw Firmware Canon mf1238 Ii Canon mf1238 Ii Firmware Canon mf1643i Ii Canon mf1643i Ii Firmware Canon mf1643if Ii Canon mf1643if Ii Firmware Canon mf451dw Canon mf451dw Firmware Canon mf452dw Canon mf452dw Firmware Canon mf453dw Canon mf453dw Firmware Canon mf455dw Canon mf455dw Firmware Canon mf652cdw Canon mf652cw Firmware Canon mf653cdw Canon mf653cdw Firmware Canon mf654cdw Canon mf654cdw Firmware Canon mf656cdw Canon mf656cdw Firmware
CPEs		cpe:2.3:h:canon:lbp1238_ii:-:::::::* cpe:2.3:h:canon:lbp236dw:-:::::::* cpe:2.3:h:canon:lbp237dw:-:::::::* cpe:2.3:h:canon:lbp632cdw:-:::::::* cpe:2.3:h:canon:lbp633cdw:-:::::::* cpe:2.3:h:canon:mf1238_ii:-:::::::* cpe:2.3:h:canon:mf1643i_ii:-:::::::* cpe:2.3:h:canon:mf1643if_ii:-:::::::* cpe:2.3:h:canon:mf451dw:-:::::::* cpe:2.3:h:canon:mf452dw:-:::::::* cpe:2.3:h:canon:mf453dw:-:::::::* cpe:2.3:h:canon:mf455dw:-:::::::* cpe:2.3:h:canon:mf652cdw:-:::::::* cpe:2.3:h:canon:mf653cdw:-:::::::* cpe:2.3:h:canon:mf654cdw:-:::::::* cpe:2.3:h:canon:mf656cdw:-:::::::* cpe:2.3:o:canon:lbp1238_ii_firmware:::::::: cpe:2.3:o:canon:lbp236dw_firmware:::::::: cpe:2.3:o:canon:lbp237dw_firmware:::::::: cpe:2.3:o:canon:lbp632cdw_firmware:::::::: cpe:2.3:o:canon:lbp633cdw_firmware:::::::: cpe:2.3:o:canon:mf1238_ii_firmware:::::::: cpe:2.3:o:canon:mf1643i_ii_firmware:::::::: cpe:2.3:o:canon:mf1643if_ii_firmware:::::::: cpe:2.3:o:canon:mf451dw_firmware:::::::: cpe:2.3:o:canon:mf452dw_firmware:::::::: cpe:2.3:o:canon:mf453dw_firmware:::::::: cpe:2.3:o:canon:mf455dw_firmware:::::::: cpe:2.3:o:canon:mf652cw_firmware:::::::: cpe:2.3:o:canon:mf653cdw_firmware:::::::: cpe:2.3:o:canon:mf654cdw_firmware:::::::: cpe:2.3:o:canon:mf656cdw_firmware::::::::
Vendors & Products		Canon lbp1238 Ii Canon lbp1238 Ii Firmware Canon lbp236dw Canon lbp236dw Firmware Canon lbp237dw Canon lbp237dw Firmware Canon lbp632cdw Canon lbp632cdw Firmware Canon lbp633cdw Canon lbp633cdw Firmware Canon mf1238 Ii Canon mf1238 Ii Firmware Canon mf1643i Ii Canon mf1643i Ii Firmware Canon mf1643if Ii Canon mf1643if Ii Firmware Canon mf451dw Canon mf451dw Firmware Canon mf452dw Canon mf452dw Firmware Canon mf453dw Canon mf453dw Firmware Canon mf455dw Canon mf455dw Firmware Canon mf652cdw Canon mf652cw Firmware Canon mf653cdw Canon mf653cdw Firmware Canon mf654cdw Canon mf654cdw Firmware Canon mf656cdw Canon mf656cdw Firmware

Fri, 16 Jan 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 16 Jan 2026 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Canon Canon 1238i Ii Canon 1238if Ii Canon 1238p Ii Canon 1238pr Ii Canon color Imageclass Lbp630c Canon color Imageclass Mf650c Canon i-sensys Lbp230 Canon i-sensys Lbp630c Canon i-sensys Mf450 Canon i-sensys Mf550 Canon i-sensys Mf650c Canon imageclass Lbp230 Canon imageclass Mf450 Canon imageclass X Lbp1238 Ii Canon imageclass X Mf1238 Ii Canon imageclass X Mf1643i Ii Canon imageclass X Mf1643if Ii Canon imagerunner 1643i Ii Canon imagerunner 1643if Ii Canon satera Lbp670c Canon satera Mf750c
Vendors & Products		Canon Canon 1238i Ii Canon 1238if Ii Canon 1238p Ii Canon 1238pr Ii Canon color Imageclass Lbp630c Canon color Imageclass Mf650c Canon i-sensys Lbp230 Canon i-sensys Lbp630c Canon i-sensys Mf450 Canon i-sensys Mf550 Canon i-sensys Mf650c Canon imageclass Lbp230 Canon imageclass Mf450 Canon imageclass X Lbp1238 Ii Canon imageclass X Mf1238 Ii Canon imageclass X Mf1643i Ii Canon imageclass X Mf1643if Ii Canon imagerunner 1643i Ii Canon imagerunner 1643if Ii Canon satera Lbp670c Canon satera Mf750c

Thu, 15 Jan 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description		Buffer overflow in Address Book attribute tag processing on Small Office Multifunction Printers() which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code. : Satera LBP670C Series/Satera MF750C Series firmware v06.02 and earlier sold in Japan.Color imageCLASS LBP630C/Color imageCLASS MF650C Series/imageCLASS LBP230 Series/imageCLASS X LBP1238 II/imageCLASS MF450 Series/imageCLASS X MF1238 II/imageCLASS X MF1643i II/imageCLASS X MF1643iF II firmware v06.02 and earlier sold in US.i-SENSYS LBP630C Series/i-SENSYS MF650C Series/i-SENSYS LBP230 Series/1238P II/1238Pr II/i-SENSYS MF450 Series/i-SENSYS MF550 Series/1238i II/1238iF II/imageRUNNER 1643i II/imageRUNNER 1643iF II firmware v06.02 and earlier sold in Europe.
Weaknesses		CWE-787
References		https://canon.jp/support/support-info/260115vulnerability-response https://psirt.canon/advisory-information/cp2026-001/ https://www.canon-europe.com/support/product-security/ https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Remediation-Measure-Against-Potential-Buffer-Overflow-Vulnerability-in-Laser-Printers-and-Small-Office-Multifunctional-Printers
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: Canon

Published: 2026-01-15T23:39:50.760Z

Updated: 2026-01-17T04:55:20.469Z

Reserved: 2025-12-07T23:53:42.485Z

Link: CVE-2025-14236

Vulnrichment

Updated: 2026-01-16T15:42:00.450Z

NVD

Status : Analyzed

Published: 2026-01-16T00:16:28.093

Modified: 2026-01-26T15:11:28.623

Link: CVE-2025-14236

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object