CVE-2022-24198
Description
iText v7.1.17 contains an out-of-bounds exception in ARCFOUREncryption.encryptARCFOUR that can be triggered by a crafted PDF file, leading to Denial of Service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
iText v7.1.17 contains an out-of-bounds exception in ARCFOUREncryption.encryptARCFOUR that can be triggered by a crafted PDF file, leading to Denial of Service.
## Vulnerability iText v7.1.17 is affected by an out-of-bounds exception in the ARCFOUREncryption.encryptARCFOUR method [1][3]. The bug occurs when processing a specially crafted PDF file, specifically within the encryption routine. The vulnerable code is in ARCFOUREncryption.java at line 93 [3]. The issue is present in version 7.1.17.
Exploitation
An attacker can craft a PDF file that triggers an ArrayIndexOutOfBoundsException when opened by iText library [1][3]. No authentication or special privileges are required; the user must simply open the malicious PDF using an application that relies on iText for PDF parsing. The crash occurs during encryption handling, likely when the PDF's security settings are processed [3].
Impact
Successful exploitation results in a Denial of Service (DoS) due to the unhandled exception, causing the application to crash or hang [1]. The vendor, iText, does not consider this a security vulnerability and has stated it is not exploitable for anything beyond a DoS [1]. No data breach or code execution is possible.
Mitigation
As of February 2022, no official patch has been released for iText v7.1.17 [1]. The vendor has not acknowledged the issue as a vulnerability [1]. Users should consider upgrading to a later version if available, or implement input validation to reject suspicious PDF files. Until a fix is provided, the safest mitigation is to avoid processing untrusted PDFs with iText v7.1.17.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.itextpdf:itext7-coreMaven | < 7.2.0 | 7.2.0 |
Affected products
2- iText/iTextdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds check in ARCFOUREncryption.encryptARCFOUR allows an out-of-bounds read when processing a crafted PDF's encryption data."
Attack vector
An attacker crafts a malicious PDF file containing specially crafted encryption parameters that, when parsed by iText, cause `ARCFOUREncryption.encryptARCFOUR` to read past the end of an internal buffer [CWE-125]. The bug is triggered during PDF opening/decryption, as the call stack shows the encryption method is reached through `StandardHandlerUsingStandard128.computeOwnerKey` and then through `PdfXrefTable` operations [ref_id=1][ref_id=2]. No authentication or special network access is required — the attacker only needs to deliver the crafted PDF to a victim or service that processes it with iText v7.1.17.
Affected code
The out-of-bounds exception occurs in `com.itextpdf.kernel.crypto.ARCFOUREncryption.encryptARCFOUR` at line 93 of `ARCFOUREncryption.java` [ref_id=1][ref_id=2]. The call chain shows the encryption routine is invoked during PDF decryption, specifically via `StandardHandlerUsingStandard128.computeOwnerKey` at line 81 [ref_id=1][ref_id=2].
What the fix does
No patch has been published for this specific issue. The vendor does not view this as a vulnerability and has not found it to be exploitable, as stated in the CVE description. The researchers who reported the bugs noted they lacked "contextual knowledge in the itextpdf library" and could not "thoroughly fix some bugs," and they invited the developers to propose a fix [ref_id=1][ref_id=2]. As of the available information, no remediation commit has been merged.
Preconditions
- inputThe victim or service must open a crafted PDF file using iText v7.1.17.
- inputThe crafted PDF must contain encryption parameters that trigger the out-of-bounds read in ARCFOUREncryption.encryptARCFOUR.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-8c9h-4q7g-fp7hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-24198ghsaADVISORY
- github.com/itext/itext7/pull/78ghsaWEB
- github.com/itext/itext7/pull/78ghsaWEB
News mentions
0No linked articles in our index yet.