CVE-2026-25556

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-25556
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25556.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-25556
Downstream
Published
2026-02-06T17:16:27.387Z
Modified
2026-03-13T04:10:54.300946Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

MuPDF versions 1.23.0 through 1.27.0 contain a double-free vulnerability in fzfillpixmapfromdisplaylist() when an exception occurs during display list rendering. The function accepts a caller-owned fzpixmap pointer but incorrectly drops the pixmap in its error handling path before rethrowing the exception. Callers (including the barcode decoding path in fzdecodebarcodefromdisplay_list) also drop the same pixmap in cleanup, resulting in a double-free that can corrupt the heap and crash the process. This issue affects applications that enable and use MuPDF barcode decoding and can be triggered by processing crafted input that causes a rendering-time error while decoding barcodes.

References

Affected packages

Git / github.com/artifexsoftware/mupdf

Affected ranges

Type
GIT
Repo
https://github.com/artifexsoftware/mupdf
Events
Introduced
56d20b3d29f9fd4e2dabcd9b3abe66bcd1e4990c
Last affected
d3b7556577b790e9761868c314ad6fd9b6dd86a9
Database specific 
{
    "versions": [
        {
            "introduced": "1.23.0"
        },
        {
            "last_affected": "1.27.0"
        }
    ]
}

Affected versions

1.*
1.23.0
1.24.0
1.24.0-rc1
1.25.0-rc1
1.26.0-rc1
1.26.0-rc2
1.27.0
1.27.0-rc1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25556.json"