CVE-2026-25556

CVE-2026-25556

Name

CVE-2026-25556

Description

MuPDF versions 1.23.0 through 1.27.0 contain a double-free vulnerability in fz_fill_pixmap_from_display_list() when an exception occurs during display list rendering. The function accepts a caller-owned fz_pixmap pointer but incorrectly drops the pixmap in its error handling path before rethrowing the exception. Callers (including the barcode decoding path in fz_decode_barcode_from_display_list) also drop the same pixmap in cleanup, resulting in a double-free that can corrupt the heap and crash the process. This issue affects applications that enable and use MuPDF barcode decoding and can be triggered by processing crafted input that causes a rendering-time error while decoding barcodes.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
disclosure@vulncheck.com	https://bugs.ghostscript.com/show_bug.cgi?id=709029
disclosure@vulncheck.com	https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=d4743b6092d513321c23c6f7fe5cff87cde043c1
disclosure@vulncheck.com	https://mupdf.com/
disclosure@vulncheck.com	https://www.vulncheck.com/advisories/mupdf-barcode-decoding-double-free

Type

URI

disclosure@vulncheck.com

https://bugs.ghostscript.com/show_bug.cgi?id=709029

disclosure@vulncheck.com

https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=d4743b6092d513321c23c6f7fe5cff87cde043c1

disclosure@vulncheck.com

https://mupdf.com/

disclosure@vulncheck.com

https://www.vulncheck.com/advisories/mupdf-barcode-decoding-double-free

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:artifex:mupdf::::::::`	mupdf	>= 1.23.0	<= 1.27.0

CPE URI

Source package

Min version

Max version

cpe:2.3:a:artifex:mupdf:*:*:*:*:*:*:*:*

mupdf

>= 1.23.0

<= 1.27.0

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
mupdf	edge-community	1.26.12-r0	Sören Tempel <soeren+alpine@soeren-tempel.net>	possibly vulnerable
mupdf	edge-community	1.26.11-r0	Sören Tempel <soeren+alpine@soeren-tempel.net>	possibly vulnerable
mupdf	edge-community	1.26.4-r0	Sören Tempel <soeren+alpine@soeren-tempel.net>	possibly vulnerable
mupdf	edge-community	1.26.2-r0	Sören Tempel <soeren+alpine@soeren-tempel.net>	possibly vulnerable
mupdf	edge-community	1.25.6-r2	Sören Tempel <soeren+alpine@soeren-tempel.net>	possibly vulnerable
mupdf	edge-community	1.25.6-r1	Sören Tempel <soeren+alpine@soeren-tempel.net>	possibly vulnerable
mupdf	edge-community	1.25.6-r0	Sören Tempel <soeren+alpine@soeren-tempel.net>	possibly vulnerable
mupdf	edge-community	1.25.5-r0	Sören Tempel <soeren+alpine@soeren-tempel.net>	possibly vulnerable
mupdf	edge-community	1.25.4-r0	Sören Tempel <soeren+alpine@soeren-tempel.net>	possibly vulnerable
mupdf	edge-community	1.25.3-r0	Sören Tempel <soeren+alpine@soeren-tempel.net>	possibly vulnerable
mupdf	edge-community	1.25.2-r1	Sören Tempel <soeren+alpine@soeren-tempel.net>	possibly vulnerable
mupdf	edge-community	1.25.2-r0	Sören Tempel <soeren+alpine@soeren-tempel.net>	possibly vulnerable
mupdf	edge-community	1.25.1-r0	Sören Tempel <soeren+alpine@soeren-tempel.net>	possibly vulnerable
mupdf	edge-community	1.24.10-r0	Sören Tempel <soeren+alpine@soeren-tempel.net>	possibly vulnerable
mupdf	3.23-community	1.26.11-r0	Sören Tempel <soeren+alpine@soeren-tempel.net>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages