UBUNTU-CVE-2025-9394

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2025-9394

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-9394.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2025-9394

Upstream

CVE-2025-9394

Published

2025-08-24T16:15:00Z

Modified

2026-01-20T19:17:18.839989Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
1.9 (Low) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

A flaw has been found in PoDoFo 1.1.0-dev. This issue affects the function PdfTokenizer::DetermineDataType of the file src/podofo/main/PdfTokenizer.cpp of the component PDF Dictionary Parser. Executing manipulation can lead to use after free. It is possible to launch the attack on the local host. The exploit has been published and may be used. This patch is called 22d16cb142f293bf956f66a4d399cdd65576d36c. A patch should be applied to remediate this issue.

References

Affected packages

Ubuntu:24.04:LTS

libpodofo

Package

Name: libpodofo
Purl: pkg:deb/ubuntu/libpodofo@0.9.8+dfsg-3.1build3?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.9.8+dfsg-3build1

0.9.8+dfsg-3build2

0.9.8+dfsg-3.1build1

0.9.8+dfsg-3.1build2

0.9.8+dfsg-3.1build3

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.9.8+dfsg-3.1build3",
            "binary_name": "libpodofo-dev"
        },
        {
            "binary_version": "0.9.8+dfsg-3.1build3",
            "binary_name": "libpodofo-utils"
        },
        {
            "binary_version": "0.9.8+dfsg-3.1build3",
            "binary_name": "libpodofo0.9.8t64"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-9394.json"

Ubuntu:25.10

libpodofo

Package

Name: libpodofo
Purl: pkg:deb/ubuntu/libpodofo@0.9.8+dfsg-3.2?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.9.8+dfsg-3.2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.9.8+dfsg-3.2",
            "binary_name": "libpodofo-dev"
        },
        {
            "binary_version": "0.9.8+dfsg-3.2",
            "binary_name": "libpodofo-utils"
        },
        {
            "binary_version": "0.9.8+dfsg-3.2",
            "binary_name": "libpodofo0.9.8t64"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-9394.json"

Ubuntu:Pro:14.04:LTS

libpodofo

Package

Name: libpodofo
Purl: pkg:deb/ubuntu/libpodofo@0.9.0-1.2ubuntu0.1~esm3?arch=source&distro=esm-infra-legacy/trusty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.9.0-1.1ubuntu1

0.9.0-1.2

0.9.0-1.2ubuntu0.1~esm1

0.9.0-1.2ubuntu0.1~esm3

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.9.0-1.2ubuntu0.1~esm3",
            "binary_name": "libpodofo-dev"
        },
        {
            "binary_version": "0.9.0-1.2ubuntu0.1~esm3",
            "binary_name": "libpodofo-utils"
        },
        {
            "binary_version": "0.9.0-1.2ubuntu0.1~esm3",
            "binary_name": "libpodofo0.9.0"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-9394.json"

Ubuntu:Pro:16.04:LTS

libpodofo

Package

Name: libpodofo
Purl: pkg:deb/ubuntu/libpodofo@0.9.3-4ubuntu0.1~esm1?arch=source&distro=esm-apps/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.9.0-1.3

0.9.3-3

0.9.3-4

0.9.3-4ubuntu0.1~esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.9.3-4ubuntu0.1~esm1",
            "binary_name": "libpodofo-dev"
        },
        {
            "binary_version": "0.9.3-4ubuntu0.1~esm1",
            "binary_name": "libpodofo-utils"
        },
        {
            "binary_version": "0.9.3-4ubuntu0.1~esm1",
            "binary_name": "libpodofo0.9.3"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-9394.json"

Ubuntu:Pro:18.04:LTS

libpodofo

Package

Name: libpodofo
Purl: pkg:deb/ubuntu/libpodofo@0.9.5-9ubuntu0.1~esm1?arch=source&distro=esm-apps/bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.9.5-6

0.9.5-8

0.9.5-8build1

0.9.5-9

0.9.5-9ubuntu0.1~esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.9.5-9ubuntu0.1~esm1",
            "binary_name": "libpodofo-dev"
        },
        {
            "binary_version": "0.9.5-9ubuntu0.1~esm1",
            "binary_name": "libpodofo-utils"
        },
        {
            "binary_version": "0.9.5-9ubuntu0.1~esm1",
            "binary_name": "libpodofo0.9.5"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-9394.json"

Ubuntu:Pro:20.04:LTS

libpodofo

Package

Name: libpodofo
Purl: pkg:deb/ubuntu/libpodofo@0.9.6+dfsg-5ubuntu0.1~esm1?arch=source&distro=esm-apps/focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.9.6+dfsg-5

0.9.6+dfsg-5build1

0.9.6+dfsg-5ubuntu0.1~esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.9.6+dfsg-5ubuntu0.1~esm1",
            "binary_name": "libpodofo-dev"
        },
        {
            "binary_version": "0.9.6+dfsg-5ubuntu0.1~esm1",
            "binary_name": "libpodofo-utils"
        },
        {
            "binary_version": "0.9.6+dfsg-5ubuntu0.1~esm1",
            "binary_name": "libpodofo0.9.6"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-9394.json"

Ubuntu:Pro:22.04:LTS

libpodofo

Package

Name: libpodofo
Purl: pkg:deb/ubuntu/libpodofo@0.9.7+dfsg-3ubuntu0.1~esm1?arch=source&distro=esm-apps/jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.9.7+dfsg-2

0.9.7+dfsg-2build1

0.9.7+dfsg-2build2

0.9.7+dfsg-3

0.9.7+dfsg-3ubuntu0.1~esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.9.7+dfsg-3ubuntu0.1~esm1",
            "binary_name": "libpodofo-dev"
        },
        {
            "binary_version": "0.9.7+dfsg-3ubuntu0.1~esm1",
            "binary_name": "libpodofo-utils"
        },
        {
            "binary_version": "0.9.7+dfsg-3ubuntu0.1~esm1",
            "binary_name": "libpodofo0.9.7"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-9394.json"