CVE-2020-19467
Description
An issue has been found in function DCTStream::transformDataUnit in PDF2JSON 0.70 that allows attackers to cause a Denial of Service due to an Illegal Use After Free .
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free in PDF2JSON 0.70's DCTStream::transformDataUnit allows remote attackers to cause denial of service via crafted PDF.
Vulnerability
A use-after-free vulnerability exists in the DCTStream::transformDataUnit function of PDF2JSON version 0.70 (commit b671b64). The bug occurs when processing a specially crafted PDF file that triggers an improper memory deallocation sequence, leading to a read from a freed heap block during DCT stream decoding [1].
Exploitation
An attacker can exploit this issue by providing a malicious PDF file to the victim. No authentication or special network position is required; the victim only needs to open the file using PDF2JSON, for example via a command like pdf2json $PoC /dev/null. The crash reproduces reliably with the proof-of-concept file [1].
Impact
Successful exploitation causes a denial of service (application crash) due to an invalid memory read. The vector is local (user interaction), and the crash occurs during parsing, preventing normal file conversion [1]. No remote code execution or privilege escalation is indicated.
Mitigation
As of the latest referenced information (commit b671b64), no official fix has been released for this vulnerability. Users should avoid processing untrusted PDF files with PDF2JSON until a patched version is made available [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- PDF2JSON/PDF2JSONdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- github.com/flexpaper/pdf2json/issues/28mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.