VYPR

rpm package

opensuse/mupdf&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/mupdf&distro=openSUSE%20Tumbleweed

Vulnerabilities (24)

  • CVE-2026-25556Feb 6, 2026
    affected < 1.27.1-1.1fixed 1.27.1-1.1

    MuPDF versions 1.23.0 through 1.27.0 contain a double-free vulnerability in fz_fill_pixmap_from_display_list() when an exception occurs during display list rendering. The function accepts a caller-owned fz_pixmap pointer but incorrectly drops the pixmap in its error handling path

  • CVE-2025-55780Sep 23, 2025
    affected < 1.27.1-1.1fixed 1.27.1-1.1

    A null pointer dereference occurs in the function break_word_for_overflow_wrap() in MuPDF 1.26.4 when rendering a malformed EPUB document. Specifically, the function calls fz_html_split_flow() to split a FLOW_WORD node, but does not check if node->next is valid before accessing n

  • CVE-2023-31794Oct 31, 2023
    affected < 1.23.4-2.1fixed 1.23.4-2.1

    MuPDF v1.21.1 was discovered to contain an infinite recursion in the component pdf_mark_list_push. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted PDF file.

  • CVE-2021-4216Aug 26, 2022
    affected < 1.20.3-2.1fixed 1.20.3-2.1

    A Floating point exception (division-by-zero) flaw was found in Mupdf for zero width pages in muraster.c. It is fixed in Mupdf-1.20.0-rc1 upstream.

  • CVE-2018-25032Mar 25, 2022
    affected < 1.19.1-1.1fixed 1.19.1-1.1

    zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

  • CVE-2018-18662Oct 26, 2018
    affected < 1.18.0-1.7fixed 1.18.0-1.7

    There is an out-of-bounds read in fz_run_t3_glyph in fitz/font.c in Artifex MuPDF 1.14.0, as demonstrated by mutool.

  • CVE-2018-16648MedSep 6, 2018
    affected < 1.18.0-1.7fixed 1.18.0-1.7

    In Artifex MuPDF 1.13.0, the fz_append_byte function in fitz/buffer.c allows remote attackers to cause a denial of service (segmentation fault) via a crafted pdf file. This is caused by a pdf/pdf-device.c pdf_dev_alpha array-index underflow.

  • CVE-2018-16647MedSep 6, 2018
    affected < 1.18.0-1.7fixed 1.18.0-1.7

    In Artifex MuPDF 1.13.0, the pdf_get_xref_entry function in pdf/pdf-xref.c allows remote attackers to cause a denial of service (segmentation fault in fz_write_data in fitz/output.c) via a crafted pdf file.

  • CVE-2016-8729HigApr 24, 2018
    affected < 1.18.0-1.7fixed 1.18.0-1.7

    An exploitable memory corruption vulnerability exists in the JBIG2 parser of Artifex MuPDF 1.9. A specially crafted PDF can cause a negative number to be passed to a memset resulting in memory corruption and potential code execution. An attacker can specially craft a PDF and send

  • CVE-2018-1000051HigFeb 9, 2018
    affected < 1.18.0-1.7fixed 1.18.0-1.7

    Artifex Mupdf version 1.12.0 contains a Use After Free vulnerability in fz_keep_key_storable that can result in DOS / Possible code execution. This attack appear to be exploitable via Victim opens a specially crafted PDF.

  • CVE-2018-6544MedFeb 2, 2018
    affected < 1.18.0-1.7fixed 1.18.0-1.7

    pdf_load_obj_stm in pdf/pdf-xref.c in Artifex MuPDF 1.12.0 could reference the object stream recursively and therefore run out of error stack, which allows remote attackers to cause a denial of service via a crafted PDF document.

  • CVE-2018-6192MedJan 24, 2018
    affected < 1.18.0-1.7fixed 1.18.0-1.7

    In Artifex MuPDF 1.12.0, the pdf_read_new_xref function in pdf/pdf-xref.c allows remote attackers to cause a denial of service (segmentation violation and application crash) via a crafted pdf file.

  • CVE-2018-6187MedJan 24, 2018
    affected < 1.18.0-1.7fixed 1.18.0-1.7

    In Artifex MuPDF 1.12.0, there is a heap-based buffer overflow vulnerability in the do_pdf_save_document function in the pdf/pdf-write.c file. Remote attackers could leverage the vulnerability to cause a denial of service via a crafted pdf file.

  • CVE-2017-17858HigJan 22, 2018
    affected < 1.18.0-1.7fixed 1.18.0-1.7

    Heap-based buffer overflow in the ensure_solid_xref function in pdf/pdf-xref.c in Artifex MuPDF 1.12.0 allows a remote attacker to potentially execute arbitrary code via a crafted PDF file, because xref subsection object numbers are unrestricted.

  • CVE-2018-5686MedJan 14, 2018
    affected < 1.18.0-1.7fixed 1.18.0-1.7

    In MuPDF 1.12.0, there is an infinite loop vulnerability and application hang in the pdf_parse_array function (pdf/pdf-parse.c) because EOF is not considered. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted pdf file.

  • CVE-2017-15369HigOct 16, 2017
    affected < 1.18.0-1.7fixed 1.18.0-1.7

    The build_filter_chain function in pdf/pdf-stream.c in Artifex MuPDF before 2017-09-25 mishandles a certain case where a variable may reside in a register, which allows remote attackers to cause a denial of service (Fitz fz_drop_imp use-after-free and application crash) or possib

  • CVE-2017-7976HigApr 19, 2017
    affected < 1.18.0-1.7fixed 1.18.0-1.7

    Artifex jbig2dec 0.13 allows out-of-bounds writes and reads because of an integer overflow in the jbig2_image_compose function in jbig2_image.c during operations on a crafted .jb2 file, leading to a denial of service (application crash) or disclosure of sensitive information from

  • CVE-2016-10221MedApr 3, 2017
    affected < 1.18.0-1.7fixed 1.18.0-1.7

    The count_entries function in pdf-layer.c in Artifex Software, Inc. MuPDF 1.10a allows remote attackers to cause a denial of service (stack consumption and application crash) via a crafted PDF document.

  • CVE-2016-10132HigMar 24, 2017
    affected < 1.18.0-1.7fixed 1.18.0-1.7

    regexp.c in Artifex Software, Inc. MuJS allows attackers to cause a denial of service (NULL pointer dereference and crash) via vectors related to regular expression compilation.

  • CVE-2017-5896MedFeb 15, 2017
    affected < 1.18.0-1.7fixed 1.18.0-1.7

    Heap-based buffer overflow in the fz_subsample_pixmap function in fitz/pixmap.c in MuPDF 1.10a allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted image.

Page 1 of 2