EUVD-2026-30337CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L
Lifecycle Timeline
4DescriptionNVD
PoDoFo is a C++17 PDF manipulation library. From 1.0.0 to before 1.0.4, a double-free vulnerability exists in compute_hash_to_sign() in src/podofo/private/OpenSSLInternal_Ripped.cpp. If EVP_DigestFinal fails after buf has already been freed, the Error label frees buf a second time, causing heap corruption. This vulnerability is fixed in 1.0.4.
AnalysisAI
Double-free vulnerability in PoDoFo 1.0.0 through 1.0.3 allows local attackers with user interaction to trigger heap corruption via failed digest operations in PDF signing routines, potentially causing denial of service. The vulnerability exists in compute_hash_to_sign() where EVP_DigestFinal failure causes buf to be freed twice, corrupting heap metadata. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Share
External POC / Exploit Code
Leaving vuln.today