Unrated severityNVD Advisory· Published Jul 2, 2025· Updated Nov 4, 2025

Poppler Use After Free Vulnerability

CVE-2025-52886

Description

Poppler is a PDF rendering library. Versions prior to 25.06.0 use std::atomic_int for reference counting. Because std::atomic_int is only 32 bits, it is possible to overflow the reference count and trigger a use-after-free. Version 25.06.0 patches the issue.

Affected products

Poppler (software)/Popplerllm-fuzzy2 versions
<25.06.0+ 1 more
- (no CPE)range: <25.06.0
- (no CPE)range: < 25.06.0
osv-coords30 versions
pkg:rpm/opensuse/poppler&distro=openSUSE%20Leap%2015.6 pkg:rpm/opensuse/poppler&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/poppler-qt5&distro=openSUSE%20Leap%2015.6 pkg:rpm/opensuse/poppler-qt6&distro=openSUSE%20Leap%2015.6 pkg:rpm/suse/poppler&distro=SUSE%20Enterprise%20Storage%207.1 pkg:rpm/suse/poppler&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSS pkg:rpm/suse/poppler&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOS pkg:rpm/suse/poppler&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSS pkg:rpm/suse/poppler&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOS pkg:rpm/suse/poppler&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSS pkg:rpm/suse/poppler&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6 pkg:rpm/suse/poppler&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP7 pkg:rpm/suse/poppler&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6 pkg:rpm/suse/poppler&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP7 pkg:rpm/suse/poppler&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSS pkg:rpm/suse/poppler&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSS pkg:rpm/suse/poppler&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSS pkg:rpm/suse/poppler&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSS pkg:rpm/suse/poppler&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3 pkg:rpm/suse/poppler&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4 pkg:rpm/suse/poppler&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5 pkg:rpm/suse/poppler&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5 pkg:rpm/suse/poppler&distro=SUSE%20Manager%20Proxy%204.3 pkg:rpm/suse/poppler&distro=SUSE%20Manager%20Server%204.3 pkg:rpm/suse/poppler-qt5&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6 pkg:rpm/suse/poppler-qt5&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP7 pkg:rpm/suse/poppler-qt6&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6 pkg:rpm/suse/poppler-qt6&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP7 pkg:rpm/suse/poppler-qt&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSS pkg:rpm/suse/poppler-qt&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5
< 24.03.0-150600.3.16.1+ 29 more
- (no CPE)range: < 24.03.0-150600.3.16.1
- (no CPE)range: < 25.06.0-1.1
- (no CPE)range: < 24.03.0-150600.3.16.1
- (no CPE)range: < 24.03.0-150600.3.16.1
- (no CPE)range: < 0.79.0-150200.3.41.1
- (no CPE)range: < 0.79.0-150200.3.41.1
- (no CPE)range: < 0.79.0-150200.3.41.1
- (no CPE)range: < 0.79.0-150200.3.41.1
- (no CPE)range: < 23.01.0-150500.3.20.1
- (no CPE)range: < 23.01.0-150500.3.20.1
- (no CPE)range: < 24.03.0-150600.3.16.1
- (no CPE)range: < 24.03.0-150600.3.16.1
- (no CPE)range: < 24.03.0-150600.3.16.1
- (no CPE)range: < 24.03.0-150600.3.16.1
- (no CPE)range: < 0.43.0-16.58.2
- (no CPE)range: < 0.79.0-150200.3.41.1
- (no CPE)range: < 0.79.0-150200.3.41.1
- (no CPE)range: < 23.01.0-150500.3.20.1
- (no CPE)range: < 0.79.0-150200.3.41.1
- (no CPE)range: < 0.79.0-150200.3.41.1
- (no CPE)range: < 23.01.0-150500.3.20.1
- (no CPE)range: < 0.43.0-16.58.2
- (no CPE)range: < 0.79.0-150200.3.41.1
- (no CPE)range: < 0.79.0-150200.3.41.1
- (no CPE)range: < 24.03.0-150600.3.16.1
- (no CPE)range: < 24.03.0-150600.3.16.1
- (no CPE)range: < 24.03.0-150600.3.16.1
- (no CPE)range: < 24.03.0-150600.3.16.1
- (no CPE)range: < 0.43.0-16.58.2
- (no CPE)range: < 0.43.0-16.58.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

gitlab.freedesktop.org/poppler/poppler/-/commit/04bd91684ed41d67ae0f10cde0660e4ed74ac203mitrex_refsource_MISC
gitlab.freedesktop.org/poppler/poppler/-/commit/ac36affcc8486de38e8905a8d6547a3464ff46e5mitrex_refsource_MISC
gitlab.freedesktop.org/poppler/poppler/-/issues/1581mitrex_refsource_MISC
gitlab.freedesktop.org/poppler/poppler/-/merge_requests/1828mitrex_refsource_MISC
securitylab.github.com/advisories/GHSL-2025-054_poppler/mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000