VU#951662: MuPDF by Artifex contains integer overflow vulnerability.

Overview

Artifex’s MuPDF contains an integer overflow vulnerability, CVE-2026-3308, in versions up to and including 1.27.0. Using a specially crafted PDF, an attacker can trigger an integer overflow resulting in out-of-bounds heap writes. This heap corruption typically causes the application to crash, but in some cases could be exploited to enable arbitrary code execution.

Description

Artifex MuPDF is a lightweight framework for viewing and converting PDF, XPS, and e-book files. A vulnerability exists in pdf_load_image_imp, which is responsible for preparing image data for decoding.

The function processes image parameters including w (width), h (height), and bpc (bits per component), which are used to determine the amount of memory allocated during image decoding. The current implementation validates these parameters against SIZE_MAX rather than INT_MAX, but because stride calculations use integer-sized values, this check does not sufficiently protect against integer overflow when exceedingly large values are supplied.

When the overflow occurs, the resulting corrupted values are passed into the fz_unpack_stream function, which expands packed image samples into a destination buffer during image decoding. Because this too-small overflow value is used to calculate the size of the destination buffer, not enough memory is allocated for the actual size of the image. This causes fz_unpack_stream to write beyond the bounds of the allocated heap buffer, resulting in a heap out-of-bounds write.

Impact

Successful exploitation results in a heap out-of-bounds write during PDF image decoding. This condition may cause application crashes and memory corruption, or could potentially allow arbitrary code execution within the context of the application rendering the PDF.
Since this vulnerability is triggered during standard PDF parsing operations, any system that automatically processes or renders untrusted PDF files using MuPDF may be affected.

Solution

Unfortunately, the vendor was unreachable to coordinate this vulnerability. Until a complete fix is available, users should avoid processing untrusted PDF files with affected MuPDF-based applications where possible. Applications that rely on MuPDF should isolate document rendering in a sandboxed or low-privilege process and disable automatic rendering or conversion of untrusted files if feasible. A Pull Request (PR) was with the fix is available at: https://github.com/ArtifexSoftware/mupdf/pull/87

Acknowledgements

Thanks toYarden Porat from Cyata for reporting this vulnerability. This document was written by Michael Bragg.

CVE-2026-3308
An integer overflow vulnerability in ‘pdf-image.c’ in Artifex’s MuPDF version 1.27.0 allows an attacker to maliciously craft a PDF that can trigger an integer overflow within the ‘pdf_load_image_imp’ function. This allows a heap out-of-bounds write that could be exploited for arbitrary code execution.