Skip to main content

Mupdf CVE-2026-3308

| EUVDEUVD-2026-17412 HIGH
Integer Overflow or Wraparound (CWE-190)
2026-03-31 certcc GHSA-6jrq-hjxp-2x5r
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Updated
Apr 21, 2026 - 10:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 21, 2026 - 10:22 vuln.today
cvss_changed
EUVD ID Assigned
Mar 31, 2026 - 13:48 euvd
EUVD-2026-17412
Analysis Generated
Mar 31, 2026 - 13:48 vuln.today
CVE Published
Mar 31, 2026 - 13:13 nvd
HIGH 7.8

DescriptionCVE.org

An integer overflow vulnerability in 'pdf-image.c' in Artifex's MuPDF version 1.27.0 allows an attacker to maliciously craft a PDF that can trigger an integer overflow within the 'pdf_load_image_imp' function. This allows a heap out-of-bounds write that could be exploited for arbitrary code execution.

AnalysisAI

Heap overflow in MuPDF 1.27.0 PDF parser enables arbitrary code execution when victims open maliciously crafted PDF files. Integer overflow in pdf_load_image_imp function allows heap-based buffer overflow through crafted PDF image objects. Upstream fix committed (a26f0142e7) but packaged release version unconfirmed. EPSS probability low (0.02%, 4th percentile) indicates theoretical risk without active exploitation campaigns. Requires local file access and user interaction (opening malicious PDF), limiting remote attack scenarios but viable for phishing/watering hole attacks.

Technical ContextAI

MuPDF is a lightweight PDF and XPS viewer library from Artifex Software, commonly embedded in applications requiring PDF rendering capabilities. The vulnerability resides in pdf-image.c within the pdf_load_image_imp function, which handles image object parsing from PDF streams. CWE-190 (Integer Overflow) occurs when processing malformed image dimensions or buffer size calculations, causing wraparound to small allocation sizes while subsequent write operations use the original large values. This classic integer-to-buffer-overflow pattern produces heap corruption beyond allocated boundaries. CPE string indicates vulnerability affects MuPDF versions through 1.27.0, including PyMuPDF Python bindings that wrap the native library. The PDF specification's flexibility in image encoding formats (JPEG, JPEG2000, JBIG2, raw samples) creates complex parsing paths where integer validation failures can occur.

RemediationAI

Upstream fix available in commit a26f0142e7d390d4a82c6e5ae0e312e07cc4ec85 at both GitHub (github.com/ArtifexSoftware/mupdf) and Ghostscript cgit repository. Debian has issued security updates per debian-lts-announce list (April 2026). Organizations should upgrade to patched MuPDF versions distributed through their package managers or build from source incorporating commit a26f0142e7 or later. For systems where immediate patching is infeasible, implement defense-in-depth controls: (1) process untrusted PDFs in sandboxed environments (containers, VMs, or browser-based viewers with process isolation), accepting performance overhead; (2) deploy application allowlisting to prevent execution of unexpected child processes from PDF viewers; (3) disable automatic PDF preview/thumbnail generation in file managers and email clients, requiring explicit user action to render; (4) use SELinux/AppArmor mandatory access control to restrict PDF viewer capabilities even if exploitation succeeds. For server-side PDF processing, consider alternative libraries (e.g., Poppler, pdf.js in headless browser) until MuPDF updates are validated, though this introduces migration complexity and potential feature gaps.

More in Mupdf

View all
CVE-2014-2013 HIGH POC
7.5 Mar 03

Stack-based buffer overflow in the xps_parse_color function in xps/xps-common.c in MuPDF 1.3 and earlier allows remote a

CVE-2017-5991 HIGH POC
7.5 Feb 15

An issue was discovered in Artifex MuPDF before 1912de5f08e90af1d9d0a9791f58ba3afdb9d465. Rated high severity (CVSS 7.5)

CVE-2017-6060 HIGH POC
7.8 Mar 15

Stack-based buffer overflow in jstest_main.c in mujstest in Artifex Software, Inc. Rated high severity (CVSS 7.8), this

CVE-2017-14686 HIGH POC
7.8 Sep 22

Artifex MuPDF 1.11 allows attackers to execute arbitrary code or cause a denial of service via a crafted .xps file, rela

CVE-2017-14687 HIGH POC
7.8 Sep 22

Artifex MuPDF 1.11 allows attackers to cause a denial of service or possibly have unspecified other impact via a crafted

CVE-2017-14685 HIGH POC
7.8 Sep 22

Artifex MuPDF 1.11 allows attackers to cause a denial of service or possibly have unspecified other impact via a crafted

CVE-2019-13290 HIGH POC
7.8 Jul 04

Artifex MuPDF 1.15.0 has a heap-based buffer overflow in fz_append_display_node located at fitz/list-device.c, allowing

CVE-2018-1000038 HIGH POC
7.8 May 24

In Artifex MuPDF 1.12.0 and earlier, a stack buffer overflow in function pdf_lookup_cmap_full in pdf/pdf-cmap.c could al

CVE-2018-1000051 HIGH POC
7.8 Feb 09

Artifex Mupdf version 1.12.0 contains a Use After Free vulnerability in fz_keep_key_storable that can result in DOS / Po

CVE-2024-24259 HIGH POC
7.5 Feb 05

freeglut through 3.4.0 was discovered to contain a memory leak via the menuEntry variable in the glutAddMenuEntry functi

CVE-2024-24258 HIGH POC
7.5 Feb 05

freeglut 3.4.0 was discovered to contain a memory leak via the menuEntry variable in the glutAddSubMenu function. Rated

CVE-2023-51107 HIGH POC
7.5 Dec 26

A floating point exception (divide-by-zero) vulnerability was discovered in Artifex MuPDF 1.23.4 in functon compute_colo

Vendor StatusVendor

SUSE

Severity: High

Share

CVE-2026-3308 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy