CVE-2026-10118

Vulnerability

A flaw exists in the tilingPatternFill function within the Splash backend of the Poppler PDF rendering library. The vulnerability is triggered when processing a specially crafted PDF file that causes an integer overflow during memory allocation calculations. This overflow results in an undersized heap buffer allocation, which subsequently leads to an out-of-bounds memory write operation [1].

Exploitation

An attacker can exploit this vulnerability by delivering a malicious PDF file to a target user or system. No specific authentication is required, but the attacker must successfully induce the target application to render the crafted document. The exploitation relies on the application's PDF processing engine reaching the vulnerable code path during the rendering process [1].

Impact

Successful exploitation of this vulnerability allows an attacker to perform an out-of-bounds write, which can lead to arbitrary code execution, unauthorized information disclosure, or a denial of service condition. The impact is confined to the security context of the application currently processing the malicious PDF file [1].

Mitigation

Not yet disclosed in the available references. Users are advised to monitor official Poppler project updates and security advisories for the release of a patch addressing this integer overflow [1].