VYPR
← All advisories
Moderate severityNVD Advisory· Published Feb 1, 2022· Updated Aug 3, 2024

CVE-2022-24196

CVE-2022-24196

Description

A crafted PDF file causes an out-of-memory error in iText 7.1.17 via readStreamBytesRaw, leading to denial of service.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A crafted PDF file causes an out-of-memory error in iText 7.1.17 via readStreamBytesRaw, leading to denial of service.

Vulnerability

iText versions 7.1.17 up to (excluding) 7.1.18 and 7.2.2 contain an out-of-memory error in the readStreamBytesRaw component. An attacker can trigger this by providing a specially crafted PDF file that forces the library to allocate excessive memory during stream processing [1][2].

Exploitation

An attacker does not need any special privileges or authentication; the only requirement is that the targeted application parses a malicious PDF using the vulnerable iText version. The attacker delivers the crafted PDF (e.g., via email, file upload, or network share) and the vulnerable code path is triggered automatically when readStreamBytesRaw processes the malformed stream data [3][4].

Impact

Successful exploitation results in a Denial of Service (DoS) condition: the iText process runs out of memory and crashes, potentially causing the host application to become unresponsive or terminate. No data confidentiality, integrity, or code execution is reported [1].

Mitigation

Upgrade to iText 7.1.18 (if using the 7.1.x line) or 7.2.2 (if using the 7.2.x line), which contain the fix. Users of versions between 7.1.17 and these releases are vulnerable. No workaround is documented; the only mitigation is to apply the available patch [1][2]. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.

References
  1. NVD - CVE-2022-24196
  2. GitHub - itext/itext-java: iText for Java represents the next level of SDKs for developers that want to take advantage of the benefits PDF can bring. Equipped with a better document engine, high and low-level programming capabilities and the ability to create, edit and enhance PDF documents, iText can be a boon to nearly every workflow.
  3. A list of bugs found by ZanderHuang · Pull Request #78 · itext/itext-java
  4. A list of bugs found by ZanderHuang · Pull Request #78 · itext/itext-java

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.itextpdf:itext7-coreMaven
< 7.1.187.1.18

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing resource limits in PdfReader.readStreamBytesRaw allows a crafted PDF to trigger unbounded memory allocation."

Attack vector

An attacker crafts a malicious PDF file that, when parsed by iText 7.1.17, triggers an OutOfMemoryError in PdfReader.readStreamBytesRaw at line 391 [ref_id=1][ref_id=2]. The bug is reached during normal PDF stream reading; no special authentication or network position is required beyond delivering the file to the victim application. The crafted PDF causes the library to allocate memory without bounds, exhausting the Java heap and resulting in a denial of service [CWE-770].

Affected code

The vulnerability is located in com.itextpdf.kernel.pdf.PdfReader.readStreamBytesRaw at line 391 [ref_id=1][ref_id=2]. This method is part of the PDF stream reading code path in iText 7.1.17.

What the fix does

The advisory does not include a published patch diff. The researchers reported the bug to the iText project via Pull Request #78 [ref_id=1][ref_id=2], and the fix was applied in iText versions 7.1.18 and 7.2.2. The remediation introduces resource limits or throttling in the stream-reading code path to prevent unbounded allocation, addressing the out-of-memory condition [CWE-770].

Preconditions

  • inputAttacker must supply a crafted PDF file that triggers unbounded memory allocation in readStreamBytesRaw.
  • networkNo special network position required; the PDF can be delivered via any channel (email, upload, web download).

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.