What is the CVSS score of CVE-2026-3308?

CVE-2026-3308 has a CVSS 3.1 base score of 7.8 (High). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Artifex's MuPDF are affected by CVE-2026-3308?

MuPDF 1.27.0 contains a heap overflow vulnerability in PDF image parsing that enables arbitrary code execution when users open maliciously crafted PDF files.

How to fix or mitigate CVE-2026-3308?

Within 24 hours: Identify all systems and applications using MuPDF 1.27.0 (check application manifests, dependencies, and vendor bills of materials). Within 7 days: Contact MuPDF vendor (Artifex) to confirm availability of patched release version beyond 1.27.0 and commit a26f0142e7 status. Communicate interim risk to users and restrict PDF processing from untrusted sources. Within 30 days: Deploy patched MuPDF version once released and confirmed, or implement application-level sandboxing for PDF parsing if no patch timeline is established.

Artifex's MuPDF CVE-2026-3308

EUVD-2026-17412 HIGH

Integer Overflow or Wraparound (CWE-190)

2026-03-31 certcc

GHSA-6jrq-hjxp-2x5r

RCE Buffer Overflow Integer Overflow

7.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 21, 2026 - 10:28 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 21, 2026 - 10:22 vuln.today

cvss_changed

EUVD ID Assigned

Mar 31, 2026 - 13:48 euvd

EUVD-2026-17412

Analysis Generated

Mar 31, 2026 - 13:48 vuln.today

CVE Published

Mar 31, 2026 - 13:13 nvd

HIGH 7.8

DescriptionNVD

An integer overflow vulnerability in 'pdf-image.c' in Artifex's MuPDF version 1.27.0 allows an attacker to maliciously craft a PDF that can trigger an integer overflow within the 'pdf_load_image_imp' function. This allows a heap out-of-bounds write that could be exploited for arbitrary code execution.

AnalysisAI

Heap overflow in MuPDF 1.27.0 PDF parser enables arbitrary code execution when victims open maliciously crafted PDF files. Integer overflow in pdf_load_image_imp function allows heap-based buffer overflow through crafted PDF image objects. …

RemediationAI

Within 24 hours: Identify all systems and applications using MuPDF 1.27.0 (check application manifests, dependencies, and vendor bills of materials). Within 7 days: Contact MuPDF vendor (Artifex) to confirm availability of patched release version beyond 1.27.0 and commit a26f0142e7 status. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Vendor StatusVendor

CVE-2026-3308 vulnerability details – vuln.today

Back

Artifex's MuPDF CVE-2026-3308

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Vendor StatusVendor

Share

External POC / Exploit Code