Created attachment 26352 [details] patch When determining the length of the "$Blend" array, an unsigned short is used, which can easily overflow and indicate an incorrect length. During the copying process, the entire array is copied, leading to a buffer overflow.
Created attachment 26353 [details] exploit Exploit for x64 Linux. gs -q -dNODISPLAY dollarblend.ps
CVE-2025-27830
Fixed: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=dc17ab3fe8c