EUVD-2026-26000Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A vulnerability was determined in Artifex MuPDF up to 1.28.0. The impacted element is the function fz_subset_cff_for_gids of the file subset-cff.c of the component CFF Index Handler. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through a bug report but has not responded yet.
AnalysisAI
Out-of-bounds read in Artifex MuPDF up to version 1.28.0 within the CFF Index Handler's fz_subset_cff_for_gids function allows local attackers with low privileges to disclose sensitive information from application memory. The vulnerability requires local access and low privilege level but can be triggered without user interaction; publicly available exploit code exists and the vulnerability remains unpatched as of the last vendor response.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the following concrete prerequisites: (1) Local system access as a low-privilege user account (PR:L in CVSS vector); (2) Ability to provide a malformed PDF document to an application that uses the vulnerable MuPDF library - this may be achieved by uploading a file to a document processing service, emailing a PDF to a recipient, or placing a file in a shared directory; (3) The MuPDF application must attempt to parse or subset CFF font data from the malicious PDF, which occurs automatically during normal PDF rendering unless CFF font handling is explicitly disabled; (4) The vulnerable versions (up to 1.28.0) must be deployed - systems running newer versions (if released) would not be affected. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.3 base score reflects low severity with limited real-world impact: local-only attack vector (AV:L) and requirement for low-privilege user account (PR:L) substantially reduce exploitability compared to network-accessible vulnerabilities. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with local user-level access on a multi-user system crafts a malicious PDF file containing specially crafted CFF font subset data that triggers an out-of-bounds read in fz_subset_cff_for_gids. When an application using MuPDF processes this PDF (e.g., via a document service, preview API, or user action), the function reads beyond buffer boundaries and exposes adjacent application memory containing sensitive data such as other users' document content, encryption keys, or application secrets. … |
| Remediation | No vendor-released patch has been identified at the time of analysis, despite early notification to Artifex through bug tracking. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today