Low severity3.3NVD Advisory· Published Apr 28, 2026· Updated May 5, 2026

CVE-2026-7233

Description

A vulnerability was determined in Artifex MuPDF up to 1.28.0. The impacted element is the function fz_subset_cff_for_gids of the file subset-cff.c of the component CFF Index Handler. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through a bug report but has not responded yet.

Affected products

Artifex/Mupdf
cpe:2.3:a:artifex:mupdf:*:*:*:*:*:*:*:*
Range: <=1.27.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

bugs.ghostscript.com/show_bug.cginvdExploitMitigationThird Party Advisory
github.com/biniamf/pocs/tree/main/mupdf-cff-indexload-oobreadnvdExploit
vuldb.com/submit/802590nvdExploitMitigationThird Party AdvisoryVDB Entry
vuldb.com/vuln/359840nvdExploitMitigationThird Party AdvisoryVDB Entry
artifex.comnvdProduct
vuldb.com/vuln/359840/ctinvdPermissions RequiredVDB Entry

News mentions

No linked articles in our index yet.

cvss	0.214
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000