VYPR

mutool

by MuPDF

Source repositories

CVEs (16)

  • CVE-2016-6525CriSep 22, 2016
    risk 0.64cvss 9.8epss 0.04

    Heap-based buffer overflow in the pdf_load_mesh_params function in pdf/pdf-shade.c in MuPDF allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a large decode array.

  • CVE-2018-1000038HigMay 24, 2018
    risk 0.51cvss 7.8epss 0.02

    In Artifex MuPDF 1.12.0 and earlier, a stack buffer overflow in function pdf_lookup_cmap_full in pdf/pdf-cmap.c could allow an attacker to execute arbitrary code via a crafted file.

  • CVE-2017-17866HigDec 27, 2017
    risk 0.51cvss 7.8epss 0.02

    pdf/pdf-write.c in Artifex MuPDF before 1.12.0 mishandles certain length changes when a repair operation occurs during a clean operation, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact…

  • CVE-2018-1000039MedMay 24, 2018
    risk 0.41cvss 6.3epss 0.02

    In Artifex MuPDF 1.12.0 and earlier, multiple heap use after free bugs in the PDF parser could allow an attacker to execute arbitrary code, read memory, or cause a denial of service via a crafted file.

  • CVE-2019-6131MedJan 11, 2019
    risk 0.36cvss 5.5epss 0.02

    svg-run.c in Artifex MuPDF 1.14.0 has infinite recursion with stack consumption in svg_run_use_symbol, svg_run_element, and svg_run_use, as demonstrated by mutool.

  • CVE-2019-6130MedJan 11, 2019
    risk 0.36cvss 5.5epss 0.02

    Artifex MuPDF 1.14.0 has a SEGV in the function fz_load_page of the fitz/document.c file, as demonstrated by mutool. This is related to page-number mishandling in cbz/mucbz.c, cbz/muimg.c, and svg/svg-doc.c.

  • CVE-2018-19882MedDec 6, 2018
    risk 0.36cvss 5.5epss 0.01

    In Artifex MuPDF 1.14.0, the svg_run_image function in svg/svg-run.c allows remote attackers to cause a denial of service (href_att NULL pointer dereference and application crash) via a crafted svg file, as demonstrated by mupdf-gl.

  • CVE-2018-19881MedDec 6, 2018
    risk 0.36cvss 5.5epss 0.02

    In Artifex MuPDF 1.14.0, svg/svg-run.c allows remote attackers to cause a denial of service (recursive calls followed by a fitz/xml.c fz_xml_att crash from excessive stack consumption) via a crafted svg file, as demonstrated by mupdf-gl.

  • CVE-2018-19777MedNov 30, 2018
    risk 0.36cvss 5.5epss 0.01

    In Artifex MuPDF 1.14.0, there is an infinite loop in the function svg_dev_end_tile in fitz/svg-device.c, as demonstrated by mutool.

  • CVE-2018-18662MedOct 26, 2018
    risk 0.36cvss 5.5epss 0.02

    There is an out-of-bounds read in fz_run_t3_glyph in fitz/font.c in Artifex MuPDF 1.14.0, as demonstrated by mutool.

  • CVE-2018-1000040MedMay 24, 2018
    risk 0.36cvss 5.5epss 0.01

    In Artifex MuPDF 1.12.0 and earlier, multiple use of uninitialized value bugs in the PDF parser could allow an attacker to cause a denial of service (crash) or influence program flow via a crafted file.

  • CVE-2018-1000037MedMay 24, 2018
    risk 0.36cvss 5.5epss 0.02

    In Artifex MuPDF 1.12.0 and earlier, multiple reachable assertions in the PDF parser allow an attacker to cause a denial of service (assert crash) via a crafted file.

  • CVE-2018-1000036MedMay 24, 2018
    risk 0.36cvss 5.5epss 0.01

    In Artifex MuPDF 1.12.0 and earlier, multiple memory leaks in the PDF parser allow an attacker to cause a denial of service (memory leak) via a crafted file.

  • CVE-2018-10289MedApr 22, 2018
    risk 0.36cvss 5.5epss 0.01

    In MuPDF 1.13.0, there is an infinite loop in the fz_skip_space function of the pdf/pdf-xref.c file. A remote adversary could leverage this vulnerability to cause a denial of service via a crafted pdf file.

  • CVE-2016-8674MedFeb 15, 2017
    risk 0.36cvss 5.5epss 0.01

    The pdf_to_num function in pdf-object.c in MuPDF before 1.10 allows remote attackers to cause a denial of service (use-after-free and application crash) via a crafted file.

  • CVE-2026-40505LowApr 16, 2026
    risk 0.14cvss 3.3epss 0.00

    MuPDF before 1.27 contains an ANSI injection vulnerability in mutool that allows attackers to inject arbitrary ANSI escape sequences through crafted PDF metadata fields. Attackers can embed malicious ANSI escape codes in PDF metadata that are passed unsanitized to terminal…