{"vuid":"VU#951662","idnumber":"951662","name":"MuPDF by Artifex contains integer overflow vulnerability.","keywords":null,"overview":"### Overview\r\nArtifex's MuPDF contains an integer overflow vulnerability, CVE-2026-3308, in versions up to and including 1.27.0. Using a specially crafted PDF, an attacker can trigger an integer overflow resulting in out-of-bounds heap writes. This heap corruption typically causes the application to crash, but in some cases could be exploited to enable arbitrary code execution.\r\n\r\n### Description\r\nArtifex MuPDF is a lightweight framework for viewing and converting PDF, XPS, and e-book files. A vulnerability exists in `pdf_load_image_imp`, which is responsible for preparing image data for decoding.\r\n\r\nThe function processes image parameters including `w` (width), `h` (height), and `bpc` (bits per component), which are used to determine the amount of memory allocated during image decoding. The current implementation validates these parameters against `SIZE_MAX` rather than `INT_MAX`, but because stride calculations use integer-sized values, this check does not sufficiently protect against integer overflow when exceedingly large values are supplied.\r\n\r\nWhen the overflow occurs, the resulting corrupted values are passed into the `fz_unpack_stream` function, which expands packed image samples into a destination buffer during image decoding. Because this too-small overflow value is used to calculate the size of the destination buffer, not enough memory is allocated for the actual size of the image. This causes `fz_unpack_stream` to write beyond the bounds of the allocated heap buffer, resulting in a heap out-of-bounds write. \r\n\r\n### Impact\r\nSuccessful exploitation results in a heap out-of-bounds write during PDF image decoding. This condition may cause application crashes and memory corruption, or could potentially allow arbitrary code execution within the context of the application rendering the PDF.\r\nSince this vulnerability is triggered during standard PDF parsing operations, any system that automatically processes or renders untrusted PDF files using MuPDF may be affected.\r\n\r\n### Solution\r\nUnfortunately, the vendor was unreachable to coordinate this vulnerability. Until a complete fix is available, users should avoid processing untrusted PDF files with affected MuPDF-based applications where possible. Applications that rely on MuPDF should isolate document rendering in a sandboxed or low-privilege process and disable automatic rendering or conversion of untrusted files if feasible. A Pull Request (PR) was with the fix is available at: https://github.com/ArtifexSoftware/mupdf/pull/87\r\n\r\n### Acknowledgements\r\nThanks toYarden Porat from Cyata for reporting this vulnerability. This document was written by Michael Bragg.\r\n\r\n**CVE-2026-3308**\r\nAn integer overflow vulnerability in 'pdf-image.c' in Artifex's MuPDF version 1.27.0 allows an attacker to maliciously craft a PDF that can trigger an integer overflow within the 'pdf_load_image_imp' function. This allows a heap out-of-bounds write that could be exploited for arbitrary code execution.","clean_desc":null,"impact":null,"resolution":null,"workarounds":null,"sysaffected":null,"thanks":null,"author":null,"public":["https://github.com/ArtifexSoftware/mupdf/commit/a26f0142e7d390d4a82c6e5ae0e312e07cc4ec85","https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=a26f0142e7d390d4a82c6e5ae0e312e07cc4ec85","https://github.com/ArtifexSoftware/mupdf","https://github.com/ArtifexSoftware/mupdf/pull/87"],"cveids":["CVE-2026-3308"],"certadvisory":null,"uscerttechnicalalert":null,"datecreated":"2026-04-02T17:23:15.224011Z","publicdate":"2026-04-02T17:23:15.068807Z","datefirstpublished":"2026-04-02T17:23:15.240691Z","dateupdated":"2026-04-02T17:23:15.068803Z","revision":1,"vrda_d1_directreport":null,"vrda_d1_population":null,"vrda_d1_impact":null,"cam_widelyknown":null,"cam_exploitation":null,"cam_internetinfrastructure":null,"cam_population":null,"cam_impact":null,"cam_easeofexploitation":null,"cam_attackeraccessrequired":null,"cam_scorecurrent":null,"cam_scorecurrentwidelyknown":null,"cam_scorecurrentwidelyknownexploited":null,"ipprotocol":null,"cvss_accessvector":null,"cvss_accesscomplexity":null,"cvss_authentication":null,"cvss_confidentialityimpact":null,"cvss_integrityimpact":null,"cvss_availabilityimpact":null,"cvss_exploitablity":null,"cvss_remediationlevel":null,"cvss_reportconfidence":null,"cvss_collateraldamagepotential":null,"cvss_targetdistribution":null,"cvss_securityrequirementscr":null,"cvss_securityrequirementsir":null,"cvss_securityrequirementsar":null,"cvss_basescore":null,"cvss_basevector":null,"cvss_temporalscore":null,"cvss_environmentalscore":null,"cvss_environmentalvector":null,"metric":null,"vulnote":186}