Poppler

Poppler is a PDF rendering library. Versions prior to 25.06.0 use `std::atomic_int` for reference counting. Because `std::atomic_int` is only 32 bits, it is possible to overflow the reference count and trigger a use-after-free. Version 25.06.0 patches the issue.

Published: 2025-07-02T15:46:49.733Z
Updated: 2025-11-04T22:06:42.737Z

An issue in the pdfseparate utility of freedesktop poppler v25.04.0 allows attackers to cause an infinite recursion via supplying a crafted PDF file. This can lead to a Denial of Service (DoS).

Published: 2025-08-04T00:00:00.000Z
Updated: 2025-08-05T16:47:17.021Z

NSSCryptoSignBackend.cc in Poppler before 25.04.0 does not verify the adbe.pkcs7.sha1 signatures on documents, resulting in potential signature forgeries.

Published: 2025-04-18T00:00:00.000Z
Updated: 2025-04-21T02:51:02.614Z

Poppler 24.06.1 through 25.x before 25.04.0 allows stack consumption and a SIGSEGV via deeply nested structures within the metadata (such as GTS_PDFEVersion) of a PDF document, e.g., a regular expression for a long pdfsubver string. This occurs in Dict::lookup, Catalog::getMetadata, and associated functions in PDFDoc, with deep recursion in the regex executor (std::__detail::_Executor).

Published: 2025-10-01T00:00:00.000Z
Updated: 2025-10-06T17:41:43.699Z

Poppler before 25.04.0 allows crafted input files to trigger out-of-bounds reads in the JBIG2Bitmap::combine function in JBIG2Stream.cc because of a misplaced isOk check.

Published: 2025-04-05T00:00:00.000Z
Updated: 2025-11-03T19:53:23.763Z

A floating-point exception in the PSStack::roll function of Poppler before 25.04.0 can cause an application to crash when handling malformed inputs associated with INT_MIN.

Published: 2025-04-05T00:00:00.000Z
Updated: 2025-11-03T19:53:22.420Z

A flaw was found in the Poppler's Pdfinfo utility. This issue occurs when using -dests parameter with pdfinfo utility. By using certain malformed input files, an attacker could cause the utility to crash, leading to a denial of service.

Published: 2024-06-21T13:28:23.857Z
Updated: 2025-11-20T19:54:19.834Z

libpoppler.so in Poppler through 24.12.0 has an out-of-bounds read vulnerability within the JBIG2Bitmap::combine function in JBIG2Stream.cc.

Published: 2024-12-22T00:00:00.000Z
Updated: 2025-11-03T19:32:17.413Z

A vulnerability in Outline.cc for Poppler prior to 23.06.0 allows a remote attacker to cause a Denial of Service (DoS) (crash) via a crafted PDF file in OutlineItem::open.

Published: 2023-07-31T00:00:00.000Z
Updated: 2025-11-04T19:16:50.776Z

Poppler prior to and including 22.08.0 contains an integer overflow in the JBIG2 decoder (JBIG2Stream::readTextRegionSeg() in JBIGStream.cc). Processing a specially crafted PDF file or JBIG2 image could lead to a crash or the execution of arbitrary code. This is similar to the vulnerability described by CVE-2022-38171 in Xpdf.

Published: 2022-08-30T02:58:33.566Z
Updated: 2024-09-17T03:54:54.096Z

Xpdf prior to version 4.04 contains an integer overflow in the JBIG2 decoder (JBIG2Stream::readTextRegionSeg() in JBIG2Stream.cc). Processing a specially crafted PDF file or JBIG2 image could lead to a crash or the execution of arbitrary code. This is similar to the vulnerability described by CVE-2021-30860 (Apple CoreGraphics).

Published: 2022-08-22T18:33:47.097Z
Updated: 2024-09-16T18:34:06.293Z

An integer overflow was addressed with improved input validation. This issue is fixed in Security Update 2021-005 Catalina, iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6, watchOS 7.6.2. Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Published: 2021-08-24T18:49:25.000Z
Updated: 2025-10-21T23:25:37.148Z

A flaw was found in Poppler in the way certain PDF files were converted into HTML. A remote attacker could exploit this flaw by providing a malicious PDF file that, when processed by the 'pdftohtml' program, would crash the application causing a denial of service.

Published: 2020-12-03T16:46:47.000Z
Updated: 2024-08-04T16:25:42.413Z

The JPXStream::init function in Poppler 0.78.0 and earlier doesn't check for negative values of stream length, leading to an Integer Overflow, thereby making it possible to allocate a large memory chunk on the heap, with a size controlled by an attacker, as demonstrated by pdftocairo.

Published: 2019-07-22T14:18:19.000Z
Updated: 2024-08-04T22:10:08.644Z

An issue was discovered in Poppler through 0.78.0. There is a divide-by-zero error in the function SplashOutputDev::tilingPatternFill at SplashOutputDev.cc.

Published: 2019-08-01T16:05:09.000Z
Updated: 2024-08-05T00:19:41.105Z

In Poppler through 0.76.1, there is a heap-based buffer over-read in JPXStream::init in JPEG2000Stream.cc via data with inconsistent heights or widths.

Published: 2019-05-23T04:54:12.000Z
Updated: 2024-08-04T23:17:39.558Z

Poppler before 0.66.0 has an integer overflow in Parser::makeStream in Parser.cc.

Published: 2019-09-05T03:24:29.000Z
Updated: 2024-08-05T12:19:27.146Z

Poppler before 0.70.0 has a NULL pointer dereference in _poppler_attachment_new when called from poppler_annot_file_attachment_get_attachment.

Published: 2018-11-10T19:00:00.000Z
Updated: 2024-08-05T11:30:04.098Z

Poppler through 0.62 contains an out of bounds read vulnerability due to an incorrect memory access that is not mapped in its memory space, as demonstrated by pdfunite. This can result in memory corruption and denial of service. This may be exploitable when a victim opens a specially crafted PDF file.

Published: 2018-07-25T23:00:00.000Z
Updated: 2024-08-05T09:21:40.696Z

There is a NULL pointer dereference in the AnnotPath::getCoordsLength function in Annot.h in an Ubuntu package for Poppler 0.24.5. A crafted input will lead to a remote denial of service attack. Later Ubuntu packages such as for Poppler 0.41.0 are not affected.

Published: 2018-05-06T23:00:00.000Z
Updated: 2024-08-05T07:46:47.416Z

Integer overflow leading to Heap buffer overflow in JBIG2Stream.cc in pdftocairo in Poppler before 0.56 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted PDF document.

Published: 2017-06-22T21:00:00.000Z
Updated: 2024-08-05T17:18:01.906Z

Stack buffer overflow in GfxState.cc in pdftocairo in Poppler before 0.56 allows remote attackers to cause a denial of service (application crash) via a crafted PDF document.

Published: 2017-06-22T21:00:00.000Z
Updated: 2024-08-05T17:18:01.815Z

poppler through version 0.55.0 is vulnerable to an uncontrolled recursion in pdfunite resulting into potential denial-of-service.

Published: 2017-06-06T14:00:00.000Z
Updated: 2024-08-05T16:04:11.824Z

The FoFiType1C::cvtGlyph function in fofi/FoFiType1C.cc in Poppler through 0.64.0 allows remote attackers to cause a denial of service (infinite recursion) via a crafted PDF file, as demonstrated by pdftops.

Published: 2018-05-10T15:00:00.000Z
Updated: 2024-08-05T21:13:49.201Z

The JBIG2Stream::readSegments method in JBIG2Stream.cc in Poppler before 0.24.5 does not use the correct specifier within a format string, which allows context-dependent attackers to cause a denial of service (segmentation fault and application crash) via a crafted PDF file.

Published: 2014-01-26T01:00:00.000Z
Updated: 2024-08-06T18:01:20.423Z

Format string vulnerability in the extractPages function in utils/pdfseparate.cc in poppler before 0.24.3 allows remote attackers to cause a denial of service (crash) via format string specifiers in a destination filename.

Published: 2013-11-23T11:00:00.000Z
Updated: 2024-08-06T16:45:14.323Z

Stack-based buffer overflow in the extractPages function in utils/pdfseparate.cc in poppler before 0.24.2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a source filename.

Published: 2013-11-23T11:00:00.000Z
Updated: 2024-08-06T16:45:14.622Z

The openTempFile function in goo/gfile.cc in Xpdf and Poppler 0.24.3 and earlier, when running on a system other than Unix, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names.

Published: 2014-04-22T14:00:00.000Z
Updated: 2024-08-06T16:45:14.839Z

poppler/Stream.cc in poppler before 0.22.1 allows context-dependent attackers to have an unspecified impact via vectors that trigger a read of uninitialized memory by the CCITTFaxStream::lookChar function.

Published: 2013-04-09T20:00:00.000Z
Updated: 2024-08-06T15:13:33.193Z

splash/Splash.cc in poppler before 0.22.1 allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) via vectors related to the (1) Splash::arbitraryTransformMask, (2) Splash::blitMask, and (3) Splash::scaleMaskYuXu functions.

Published: 2013-04-09T20:00:00.000Z
Updated: 2024-09-16T20:16:57.814Z

poppler before 0.22.1 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors that trigger an "invalid memory access" in (1) splash/Splash.cc, (2) poppler/Function.cc, and (3) poppler/Stream.cc.

Published: 2013-04-09T20:00:00.000Z
Updated: 2024-08-06T15:13:33.303Z

The error function in Error.cc in poppler before 0.21.4 allows remote attackers to execute arbitrary commands via a PDF containing an escape sequence for a terminal emulator.

Published: 2020-01-09T20:42:47.000Z
Updated: 2024-08-06T19:26:08.483Z

DCTStream.cc in Poppler before 0.13.3 allows remote attackers to cause a denial of service (crash) via a crafted PDF file.

Published: 2014-08-29T17:00:00.000Z
Updated: 2024-08-07T04:09:39.069Z

poppler before 0.16.3 has malformed commands that may cause corruption of the internal stack.

Published: 2019-11-13T19:41:43.000Z
Updated: 2024-08-07T03:51:18.054Z

An integer overflow condition in poppler before 0.16.3 can occur when parsing CharCodes for fonts.

Published: 2019-11-13T19:12:53.000Z
Updated: 2024-08-07T03:51:17.954Z

The Gfx::getPos function in the PDF parser in xpdf before 3.02pl5, poppler 0.8.7 and possibly other versions up to 0.15.1, CUPS, kdegraphics, and possibly other products allows context-dependent attackers to cause a denial of service (crash) via unknown vectors that trigger an uninitialized pointer dereference.

Published: 2010-11-05T17:00:00.000Z
Updated: 2024-08-07T03:18:52.995Z

Integer overflow in the StreamPredictor::StreamPredictor function in xpdf 3.02, as used in (1) poppler before 0.5.91, (2) gpdf before 2.8.2, (3) kpdf, (4) kdegraphics, (5) CUPS, (6) PDFedit, and other products, might allow remote attackers to execute arbitrary code via a crafted PDF file that triggers a stack-based buffer overflow in the StreamPredictor::getNextLine function.

Published: 2007-07-30T23:00:00.000Z
Updated: 2024-08-07T14:14:13.257Z