Skip to main content

PoDoFo EUVD-2026-30337

| CVE-2026-44348 LOW
Double Free (CWE-415)
2026-05-14 GitHub_M
Information Disclosure
2.5
CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

4
Patch available
May 14, 2026 - 18:02 EUVD
Source Code Evidence Fetched
May 14, 2026 - 17:34 vuln.today
Analysis Generated
May 14, 2026 - 17:34 vuln.today
CVE Published
May 14, 2026 - 16:38 nvd
LOW 2.5

DescriptionNVD

PoDoFo is a C++17 PDF manipulation library. From 1.0.0 to before 1.0.4, a double-free vulnerability exists in compute_hash_to_sign() in src/podofo/private/OpenSSLInternal_Ripped.cpp. If EVP_DigestFinal fails after buf has already been freed, the Error label frees buf a second time, causing heap corruption. This vulnerability is fixed in 1.0.4.

AnalysisAI

Double-free vulnerability in PoDoFo 1.0.0 through 1.0.3 allows local attackers with user interaction to trigger heap corruption via failed digest operations in PDF signing routines, potentially causing denial of service. The vulnerability exists in compute_hash_to_sign() where EVP_DigestFinal failure causes buf to be freed twice, corrupting heap metadata. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

EUVD-2026-30337 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy