Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
An integer overflow vulnerability in 'pdf-image.c' in Artifex's MuPDF version 1.27.0 allows an attacker to maliciously craft a PDF that can trigger an integer overflow within the 'pdf_load_image_imp' function. This allows a heap out-of-bounds write that could be exploited for arbitrary code execution.
AnalysisAI
Heap overflow in MuPDF 1.27.0 PDF parser enables arbitrary code execution when victims open maliciously crafted PDF files. Integer overflow in pdf_load_image_imp function allows heap-based buffer overflow through crafted PDF image objects. Upstream fix committed (a26f0142e7) but packaged release version unconfirmed. EPSS probability low (0.02%, 4th percentile) indicates theoretical risk without active exploitation campaigns. Requires local file access and user interaction (opening malicious PDF), limiting remote attack scenarios but viable for phishing/watering hole attacks.
Technical ContextAI
MuPDF is a lightweight PDF and XPS viewer library from Artifex Software, commonly embedded in applications requiring PDF rendering capabilities. The vulnerability resides in pdf-image.c within the pdf_load_image_imp function, which handles image object parsing from PDF streams. CWE-190 (Integer Overflow) occurs when processing malformed image dimensions or buffer size calculations, causing wraparound to small allocation sizes while subsequent write operations use the original large values. This classic integer-to-buffer-overflow pattern produces heap corruption beyond allocated boundaries. CPE string indicates vulnerability affects MuPDF versions through 1.27.0, including PyMuPDF Python bindings that wrap the native library. The PDF specification's flexibility in image encoding formats (JPEG, JPEG2000, JBIG2, raw samples) creates complex parsing paths where integer validation failures can occur.
RemediationAI
Upstream fix available in commit a26f0142e7d390d4a82c6e5ae0e312e07cc4ec85 at both GitHub (github.com/ArtifexSoftware/mupdf) and Ghostscript cgit repository. Debian has issued security updates per debian-lts-announce list (April 2026). Organizations should upgrade to patched MuPDF versions distributed through their package managers or build from source incorporating commit a26f0142e7 or later. For systems where immediate patching is infeasible, implement defense-in-depth controls: (1) process untrusted PDFs in sandboxed environments (containers, VMs, or browser-based viewers with process isolation), accepting performance overhead; (2) deploy application allowlisting to prevent execution of unexpected child processes from PDF viewers; (3) disable automatic PDF preview/thumbnail generation in file managers and email clients, requiring explicit user action to render; (4) use SELinux/AppArmor mandatory access control to restrict PDF viewer capabilities even if exploitation succeeds. For server-side PDF processing, consider alternative libraries (e.g., Poppler, pdf.js in headless browser) until MuPDF updates are validated, though this introduces migration complexity and potential feature gaps.
Stack-based buffer overflow in the xps_parse_color function in xps/xps-common.c in MuPDF 1.3 and earlier allows remote a
An issue was discovered in Artifex MuPDF before 1912de5f08e90af1d9d0a9791f58ba3afdb9d465. Rated high severity (CVSS 7.5)
Stack-based buffer overflow in jstest_main.c in mujstest in Artifex Software, Inc. Rated high severity (CVSS 7.8), this
Artifex MuPDF 1.11 allows attackers to execute arbitrary code or cause a denial of service via a crafted .xps file, rela
Artifex MuPDF 1.11 allows attackers to cause a denial of service or possibly have unspecified other impact via a crafted
Artifex MuPDF 1.11 allows attackers to cause a denial of service or possibly have unspecified other impact via a crafted
Artifex MuPDF 1.15.0 has a heap-based buffer overflow in fz_append_display_node located at fitz/list-device.c, allowing
In Artifex MuPDF 1.12.0 and earlier, a stack buffer overflow in function pdf_lookup_cmap_full in pdf/pdf-cmap.c could al
Artifex Mupdf version 1.12.0 contains a Use After Free vulnerability in fz_keep_key_storable that can result in DOS / Po
freeglut through 3.4.0 was discovered to contain a memory leak via the menuEntry variable in the glutAddMenuEntry functi
freeglut 3.4.0 was discovered to contain a memory leak via the menuEntry variable in the glutAddSubMenu function. Rated
A floating point exception (divide-by-zero) vulnerability was discovered in Artifex MuPDF 1.23.4 in functon compute_colo
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Integer Overflow
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17412
GHSA-6jrq-hjxp-2x5r