psi/zdevice2.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because available stack space is not checked when the device remains the same.
https://access.redhat.com/errata/RHBA-2019:0327
https://access.redhat.com/errata/RHSA-2019:0229
https://lists.debian.org/debian-lts-announce/2018/11/msg00036.html