Vendor CVEs
Xpdf
All CVEs
172 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-11033 | Hig | 0.51 | 7.8 | 0.01 | May 14, 2018 | The DCTStream::readHuffSym function in Stream.cc in the DCT decoder in xpdf before 4.00 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted JPEG data. | ||
| CVE-2018-8100 | Hig | 0.51 | 7.8 | 0.01 | Mar 14, 2018 | The JPXStream::readTilePart function in JPXStream.cc in xpdf 4.00 allows attackers to launch denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a specific pdf file, as demonstrated by pdftohtml. | ||
| CVE-2018-16369 | Med | 0.36 | 5.5 | 0.02 | Sep 3, 2018 | XRef::fetch in XRef.cc in Xpdf 4.00 allows remote attackers to cause a denial of service (stack consumption) via a crafted pdf file, related to AcroForm::scanField, as demonstrated by pdftohtml. NOTE: this might overlap CVE-2018-7453. | ||
| CVE-2018-16368 | Med | 0.36 | 5.5 | 0.01 | Sep 3, 2018 | SplashXPath::strokeAdjust in splash/SplashXPath.cc in Xpdf 4.00 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted pdf file, as demonstrated by pdftoppm. | ||
| CVE-2018-8107 | Med | 0.36 | 5.5 | 0.01 | Mar 14, 2018 | The JPXStream::close function in JPXStream.cc in xpdf 4.00 allows attackers to launch denial of service (heap-based buffer over-read and application crash) via a specific pdf file, as demonstrated by pdftohtml. | ||
| CVE-2018-8106 | Med | 0.36 | 5.5 | 0.01 | Mar 14, 2018 | The JPXStream::readTilePartData function in JPXStream.cc in xpdf 4.00 allows attackers to launch denial of service (heap-based buffer over-read and application crash) via a specific pdf file, as demonstrated by pdftohtml. | ||
| CVE-2018-8105 | Med | 0.36 | 5.5 | 0.01 | Mar 14, 2018 | The JPXStream::fillReadBuf function in JPXStream.cc in xpdf 4.00 allows attackers to launch denial of service (heap-based buffer over-read and application crash) via a specific pdf file, as demonstrated by pdftohtml. | ||
| CVE-2018-8104 | Med | 0.36 | 5.5 | 0.01 | Mar 14, 2018 | The BufStream::lookChar function in Stream.cc in xpdf 4.00 allows attackers to launch denial of service (heap-based buffer over-read and application crash) via a specific pdf file, as demonstrated by pdftohtml. | ||
| CVE-2018-8103 | Med | 0.36 | 5.5 | 0.01 | Mar 14, 2018 | The JBIG2Stream::readGenericBitmap function in JBIG2Stream.cc in xpdf 4.00 allows attackers to launch denial of service (heap-based buffer over-read and application crash) via a specific pdf file, as demonstrated by pdftohtml. | ||
| CVE-2018-8102 | Med | 0.36 | 5.5 | 0.01 | Mar 14, 2018 | The JBIG2MMRDecoder::getBlackCode function in JBIG2Stream.cc in xpdf 4.00 allows attackers to launch denial of service (buffer over-read and application crash) via a specific pdf file, as demonstrated by pdftohtml. | ||
| CVE-2018-8101 | Med | 0.36 | 5.5 | 0.01 | Mar 14, 2018 | The JPXStream::inverseTransformLevel function in JPXStream.cc in xpdf 4.00 allows attackers to launch denial of service (heap-based buffer over-read and application crash) via a specific pdf file, as demonstrated by pdftohtml. | ||
| CVE-2018-7455 | Med | 0.36 | 5.5 | 0.01 | Feb 24, 2018 | An out-of-bounds read in JPXStream::readTilePart in JPXStream.cc in xpdf 4.00 allows attackers to launch denial of service via a specific pdf file, as demonstrated by pdftohtml. | ||
| CVE-2018-7454 | Med | 0.36 | 5.5 | 0.01 | Feb 24, 2018 | A NULL pointer dereference in XFAForm::scanFields in XFAForm.cc in xpdf 4.00 allows attackers to launch denial of service via a specific pdf file, as demonstrated by pdftohtml. | ||
| CVE-2018-7453 | Med | 0.36 | 5.5 | 0.01 | Feb 24, 2018 | Infinite recursion in AcroForm::scanField in AcroForm.cc in xpdf 4.00 allows attackers to launch denial of service via a specific pdf file due to lack of loop checking, as demonstrated by pdftohtml. | ||
| CVE-2018-7452 | Med | 0.36 | 5.5 | 0.01 | Feb 24, 2018 | A NULL pointer dereference in JPXStream::fillReadBuf in JPXStream.cc in xpdf 4.00 allows attackers to launch denial of service via a specific pdf file, as demonstrated by pdftohtml. | ||
| CVE-2018-7175 | Med | 0.36 | 5.5 | 0.01 | Feb 15, 2018 | An issue was discovered in xpdf 4.00. A NULL pointer dereference in readCodestream allows an attacker to cause denial of service via a JPX image with zero components. | ||
| CVE-2018-7174 | Med | 0.36 | 5.5 | 0.01 | Feb 15, 2018 | An issue was discovered in xpdf 4.00. An infinite loop in XRef::Xref allows an attacker to cause denial of service because loop detection exists only for tables, not streams. | ||
| CVE-2018-7173 | Med | 0.36 | 5.5 | 0.01 | Feb 15, 2018 | A large loop in JBIG2Stream::readSymbolDictSeg in xpdf 4.00 allows an attacker to cause denial of service via a specific file due to inappropriate decoding. | ||
| CVE-2011-2902 | Med | 0.35 | 5.3 | 0.01 | Jan 30, 2018 | zxpdf in xpdf before 3.02-19 as packaged in Debian unstable and 3.02-12+squeeze1 as packaged in Debian squeeze deletes temporary files insecurely, which allows remote attackers to delete arbitrary files via a crafted .pdf.gz file name. | ||
| CVE-2025-11896 | Low | 0.14 | — | 0.00 | Oct 16, 2025 | In Xpdf 4.05 (and earlier), a PDF object loop in a CMap, via the "UseCMap" entry, leads to infinite recursion and a stack overflow. | ||
| CVE-2025-3154 | Low | 0.14 | — | 0.00 | Apr 2, 2025 | Out-of-bounds array write in Xpdf 4.05 and earlier, triggered by an invalid VerticesPerRow value in a PDF shading dictionary. | ||
| CVE-2025-2574 | Low | 0.14 | — | 0.00 | Mar 20, 2025 | Out-of-bounds array write in Xpdf 4.05 and earlier, due to incorrect integer overflow checking in the PostScript function interpreter code. | ||
| CVE-2003-0434 | 0.06 | — | 0.41 | Jul 24, 2003 | Various PDF viewers including (1) Adobe Acrobat 5.06 and (2) Xpdf 1.01 allow remote attackers to execute arbitrary commands via shell metacharacters in an embedded hyperlink. | |||
| CVE-2019-13288 | 0.03 | — | 0.05 | Jul 4, 2019 | In Xpdf 4.01.01, the Parser::getObj() function in Parser.cc may cause infinite recursion via a crafted file. A remote attacker can leverage this for a DoS attack. This is similar to CVE-2018-16646. | |||
| CVE-2011-1552 | 0.01 | — | 0.10 | Mar 31, 2011 | t1lib 5.1.2 and earlier, as used in Xpdf before 3.02pl6, teTeX, and other products, reads from invalid memory locations, which allows remote attackers to cause a denial of service (application crash) via a crafted Type 1 font in a PDF document, a different vulnerability than… | |||
| CVE-2009-3608 | 0.01 | — | 0.10 | Oct 21, 2009 | Integer overflow in the ObjectStream::ObjectStream function in XRef.cc in Xpdf 3.x before 3.02pl4 and Poppler before 0.12.1, as used in GPdf, kdegraphics KPDF, CUPS pdftops, and teTeX, might allow remote attackers to execute arbitrary code via a crafted PDF document that… | |||
| CVE-2009-3604 | 0.01 | — | 0.09 | Oct 21, 2009 | The Splash::drawImage function in Splash.cc in Xpdf 2.x and 3.x before 3.02pl4, and Poppler 0.x, as used in GPdf and kdegraphics KPDF, does not properly allocate memory, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary… | |||
| CVE-2009-3603 | 0.01 | — | 0.09 | Oct 21, 2009 | Integer overflow in the SplashBitmap::SplashBitmap function in Xpdf 3.x before 3.02pl4 and Poppler before 0.12.1 might allow remote attackers to execute arbitrary code via a crafted PDF document that triggers a heap-based buffer overflow. NOTE: some of these details are… | |||
| CVE-2009-1188 | 0.01 | — | 0.07 | Apr 23, 2009 | Integer overflow in the JBIG2 decoding feature in the SplashBitmap::SplashBitmap function in SplashBitmap.cc in Xpdf 3.x before 3.02pl4 and Poppler before 0.10.6, as used in GPdf and kdegraphics KPDF, allows remote attackers to execute arbitrary code or cause a denial of service… | |||
| CVE-2009-1182 | 0.01 | — | 0.07 | Apr 23, 2009 | Multiple buffer overflows in the JBIG2 MMR decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allow remote attackers to execute arbitrary code via a crafted PDF file. | |||
| CVE-2007-5392 | 0.01 | — | 0.06 | Nov 8, 2007 | Integer overflow in the DCTStream::reset method in xpdf/Stream.cc in Xpdf 3.02p11 allows remote attackers to execute arbitrary code via a crafted PDF file, resulting in a heap-based buffer overflow. | |||
| CVE-2007-5393 | 0.01 | — | 0.06 | Nov 8, 2007 | Heap-based buffer overflow in the CCITTFaxStream::lookChar method in xpdf/Stream.cc in Xpdf 3.02p11 allows remote attackers to execute arbitrary code via a PDF file that contains a crafted CCITTFaxDecode filter. | |||
| CVE-2007-4352 | 0.01 | — | 0.07 | Nov 8, 2007 | Array index error in the DCTStream::readProgressiveDataUnit method in xpdf/Stream.cc in Xpdf 3.02pl1, as used in poppler, teTeX, KDE, KOffice, CUPS, and other products, allows remote attackers to trigger memory corruption and execute arbitrary code via a crafted PDF file. | |||
| CVE-2007-3387 | 0.01 | — | 0.09 | Jul 30, 2007 | Integer overflow in the StreamPredictor::StreamPredictor function in xpdf 3.02, as used in (1) poppler before 0.5.91, (2) gpdf before 2.8.2, (3) kpdf, (4) kdegraphics, (5) CUPS, (6) PDFedit, and other products, might allow remote attackers to execute arbitrary code via a crafted… | |||
| CVE-2005-0064 | 0.01 | — | 0.07 | May 2, 2005 | Buffer overflow in the Decrypt::makeFileKey2 function in Decrypt.cc for xpdf 3.00 and earlier allows remote attackers to execute arbitrary code via a PDF file with a large /Encrypt /Length keyLength value. | |||
| CVE-2004-0888 | 0.01 | — | 0.09 | Jan 27, 2005 | Multiple integer overflows in xpdf 2.0 and 3.0, and other packages that use xpdf code such as CUPS, gpdf, and kdegraphics, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code, a different set of vulnerabilities than those identified by… | |||
| CVE-2004-1125 | 0.01 | — | 0.07 | Jan 10, 2005 | Buffer overflow in the Gfx::doImage function in Gfx.cc for xpdf 3.00, and other products that share code such as tetex-bin and kpdf in KDE 3.2.x to 3.2.3 and 3.3.x to 3.3.2, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary… | |||
| CVE-2026-4407 | 0.00 | — | 0.00 | Mar 18, 2026 | Out-of-bounds array write in Xpdf 4.06 and earlier, due to incorrect validation of the "N" field in ICCBased color spaces. | |||
| CVE-2024-7868 | 0.00 | — | 0.00 | Aug 15, 2024 | In Xpdf 4.05 (and earlier), invalid header info in a DCT (JPEG) stream can lead to an uninitialized variable in the DCT decoder. The proof-of-concept PDF file causes a segfault attempting to read from an invalid address. | |||
| CVE-2024-7867 | 0.00 | — | 0.00 | Aug 15, 2024 | In Xpdf 4.05 (and earlier), very large coordinates in a page box can cause an integer overflow and divide-by-zero. | |||
| CVE-2024-7866 | 0.00 | — | 0.00 | Aug 15, 2024 | In Xpdf 4.05 (and earlier), a PDF object loop in a pattern resource leads to infinite recursion and a stack overflow. | |||
| CVE-2024-4976 | 0.00 | — | 0.00 | May 15, 2024 | Out-of-bounds array write in Xpdf 4.05 and earlier, due to missing object type check in AcroForm field reference. | |||
| CVE-2024-4568 | 0.00 | — | 0.00 | May 6, 2024 | In Xpdf 4.05 (and earlier), a PDF object loop in the PDF resources leads to infinite recursion and a stack overflow. | |||
| CVE-2024-4141 | 0.00 | — | 0.00 | Apr 24, 2024 | Out-of-bounds array write in Xpdf 4.05 and earlier, triggered by an invalid character code in a Type 1 font. The root problem was a bounds check that was being optimized away by modern compilers. | |||
| CVE-2024-3900 | 0.00 | — | 0.00 | Apr 17, 2024 | Out-of-bounds array write in Xpdf 4.05 and earlier, triggered by long Unicode sequence in ActualText. | |||
| CVE-2024-3248 | 0.00 | — | 0.00 | Apr 2, 2024 | In Xpdf 4.05 (and earlier), a PDF object loop in the attachments leads to infinite recursion and a stack overflow. | |||
| CVE-2024-3247 | 0.00 | — | 0.00 | Apr 2, 2024 | In Xpdf 4.05 (and earlier), a PDF object loop in an object stream leads to infinite recursion and a stack overflow. | |||
| CVE-2024-2971 | 0.00 | — | 0.00 | Mar 26, 2024 | Out-of-bounds array write in Xpdf 4.05 and earlier, triggered by negative object number in indirect reference in the input PDF file. | |||
| CVE-2022-48545 | 0.00 | — | 0.00 | Aug 22, 2023 | An infinite recursion in Catalog::findDestInTree can cause denial of service for xpdf 4.02. | |||
| CVE-2023-3436 | 0.00 | — | 0.00 | Jun 27, 2023 | Xpdf 4.04 will deadlock on a PDF object stream whose "Length" field is itself in another object stream. |
- risk 0.51cvss 7.8epss 0.01
The DCTStream::readHuffSym function in Stream.cc in the DCT decoder in xpdf before 4.00 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted JPEG data.
- risk 0.51cvss 7.8epss 0.01
The JPXStream::readTilePart function in JPXStream.cc in xpdf 4.00 allows attackers to launch denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a specific pdf file, as demonstrated by pdftohtml.
- risk 0.36cvss 5.5epss 0.02
XRef::fetch in XRef.cc in Xpdf 4.00 allows remote attackers to cause a denial of service (stack consumption) via a crafted pdf file, related to AcroForm::scanField, as demonstrated by pdftohtml. NOTE: this might overlap CVE-2018-7453.
- risk 0.36cvss 5.5epss 0.01
SplashXPath::strokeAdjust in splash/SplashXPath.cc in Xpdf 4.00 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted pdf file, as demonstrated by pdftoppm.
- risk 0.36cvss 5.5epss 0.01
The JPXStream::close function in JPXStream.cc in xpdf 4.00 allows attackers to launch denial of service (heap-based buffer over-read and application crash) via a specific pdf file, as demonstrated by pdftohtml.
- risk 0.36cvss 5.5epss 0.01
The JPXStream::readTilePartData function in JPXStream.cc in xpdf 4.00 allows attackers to launch denial of service (heap-based buffer over-read and application crash) via a specific pdf file, as demonstrated by pdftohtml.
- risk 0.36cvss 5.5epss 0.01
The JPXStream::fillReadBuf function in JPXStream.cc in xpdf 4.00 allows attackers to launch denial of service (heap-based buffer over-read and application crash) via a specific pdf file, as demonstrated by pdftohtml.
- risk 0.36cvss 5.5epss 0.01
The BufStream::lookChar function in Stream.cc in xpdf 4.00 allows attackers to launch denial of service (heap-based buffer over-read and application crash) via a specific pdf file, as demonstrated by pdftohtml.
- risk 0.36cvss 5.5epss 0.01
The JBIG2Stream::readGenericBitmap function in JBIG2Stream.cc in xpdf 4.00 allows attackers to launch denial of service (heap-based buffer over-read and application crash) via a specific pdf file, as demonstrated by pdftohtml.
- risk 0.36cvss 5.5epss 0.01
The JBIG2MMRDecoder::getBlackCode function in JBIG2Stream.cc in xpdf 4.00 allows attackers to launch denial of service (buffer over-read and application crash) via a specific pdf file, as demonstrated by pdftohtml.
- risk 0.36cvss 5.5epss 0.01
The JPXStream::inverseTransformLevel function in JPXStream.cc in xpdf 4.00 allows attackers to launch denial of service (heap-based buffer over-read and application crash) via a specific pdf file, as demonstrated by pdftohtml.
- risk 0.36cvss 5.5epss 0.01
An out-of-bounds read in JPXStream::readTilePart in JPXStream.cc in xpdf 4.00 allows attackers to launch denial of service via a specific pdf file, as demonstrated by pdftohtml.
- risk 0.36cvss 5.5epss 0.01
A NULL pointer dereference in XFAForm::scanFields in XFAForm.cc in xpdf 4.00 allows attackers to launch denial of service via a specific pdf file, as demonstrated by pdftohtml.
- risk 0.36cvss 5.5epss 0.01
Infinite recursion in AcroForm::scanField in AcroForm.cc in xpdf 4.00 allows attackers to launch denial of service via a specific pdf file due to lack of loop checking, as demonstrated by pdftohtml.
- risk 0.36cvss 5.5epss 0.01
A NULL pointer dereference in JPXStream::fillReadBuf in JPXStream.cc in xpdf 4.00 allows attackers to launch denial of service via a specific pdf file, as demonstrated by pdftohtml.
- risk 0.36cvss 5.5epss 0.01
An issue was discovered in xpdf 4.00. A NULL pointer dereference in readCodestream allows an attacker to cause denial of service via a JPX image with zero components.
- risk 0.36cvss 5.5epss 0.01
An issue was discovered in xpdf 4.00. An infinite loop in XRef::Xref allows an attacker to cause denial of service because loop detection exists only for tables, not streams.
- risk 0.36cvss 5.5epss 0.01
A large loop in JBIG2Stream::readSymbolDictSeg in xpdf 4.00 allows an attacker to cause denial of service via a specific file due to inappropriate decoding.
- risk 0.35cvss 5.3epss 0.01
zxpdf in xpdf before 3.02-19 as packaged in Debian unstable and 3.02-12+squeeze1 as packaged in Debian squeeze deletes temporary files insecurely, which allows remote attackers to delete arbitrary files via a crafted .pdf.gz file name.
- risk 0.14cvss —epss 0.00
In Xpdf 4.05 (and earlier), a PDF object loop in a CMap, via the "UseCMap" entry, leads to infinite recursion and a stack overflow.
- risk 0.14cvss —epss 0.00
Out-of-bounds array write in Xpdf 4.05 and earlier, triggered by an invalid VerticesPerRow value in a PDF shading dictionary.
- risk 0.14cvss —epss 0.00
Out-of-bounds array write in Xpdf 4.05 and earlier, due to incorrect integer overflow checking in the PostScript function interpreter code.
- CVE-2003-0434Jul 24, 2003risk 0.06cvss —epss 0.41
Various PDF viewers including (1) Adobe Acrobat 5.06 and (2) Xpdf 1.01 allow remote attackers to execute arbitrary commands via shell metacharacters in an embedded hyperlink.
- CVE-2019-13288Jul 4, 2019risk 0.03cvss —epss 0.05
In Xpdf 4.01.01, the Parser::getObj() function in Parser.cc may cause infinite recursion via a crafted file. A remote attacker can leverage this for a DoS attack. This is similar to CVE-2018-16646.
- CVE-2011-1552Mar 31, 2011risk 0.01cvss —epss 0.10
t1lib 5.1.2 and earlier, as used in Xpdf before 3.02pl6, teTeX, and other products, reads from invalid memory locations, which allows remote attackers to cause a denial of service (application crash) via a crafted Type 1 font in a PDF document, a different vulnerability than…
- CVE-2009-3608Oct 21, 2009risk 0.01cvss —epss 0.10
Integer overflow in the ObjectStream::ObjectStream function in XRef.cc in Xpdf 3.x before 3.02pl4 and Poppler before 0.12.1, as used in GPdf, kdegraphics KPDF, CUPS pdftops, and teTeX, might allow remote attackers to execute arbitrary code via a crafted PDF document that…
- CVE-2009-3604Oct 21, 2009risk 0.01cvss —epss 0.09
The Splash::drawImage function in Splash.cc in Xpdf 2.x and 3.x before 3.02pl4, and Poppler 0.x, as used in GPdf and kdegraphics KPDF, does not properly allocate memory, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary…
- CVE-2009-3603Oct 21, 2009risk 0.01cvss —epss 0.09
Integer overflow in the SplashBitmap::SplashBitmap function in Xpdf 3.x before 3.02pl4 and Poppler before 0.12.1 might allow remote attackers to execute arbitrary code via a crafted PDF document that triggers a heap-based buffer overflow. NOTE: some of these details are…
- CVE-2009-1188Apr 23, 2009risk 0.01cvss —epss 0.07
Integer overflow in the JBIG2 decoding feature in the SplashBitmap::SplashBitmap function in SplashBitmap.cc in Xpdf 3.x before 3.02pl4 and Poppler before 0.10.6, as used in GPdf and kdegraphics KPDF, allows remote attackers to execute arbitrary code or cause a denial of service…
- CVE-2009-1182Apr 23, 2009risk 0.01cvss —epss 0.07
Multiple buffer overflows in the JBIG2 MMR decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allow remote attackers to execute arbitrary code via a crafted PDF file.
- CVE-2007-5392Nov 8, 2007risk 0.01cvss —epss 0.06
Integer overflow in the DCTStream::reset method in xpdf/Stream.cc in Xpdf 3.02p11 allows remote attackers to execute arbitrary code via a crafted PDF file, resulting in a heap-based buffer overflow.
- CVE-2007-5393Nov 8, 2007risk 0.01cvss —epss 0.06
Heap-based buffer overflow in the CCITTFaxStream::lookChar method in xpdf/Stream.cc in Xpdf 3.02p11 allows remote attackers to execute arbitrary code via a PDF file that contains a crafted CCITTFaxDecode filter.
- CVE-2007-4352Nov 8, 2007risk 0.01cvss —epss 0.07
Array index error in the DCTStream::readProgressiveDataUnit method in xpdf/Stream.cc in Xpdf 3.02pl1, as used in poppler, teTeX, KDE, KOffice, CUPS, and other products, allows remote attackers to trigger memory corruption and execute arbitrary code via a crafted PDF file.
- CVE-2007-3387Jul 30, 2007risk 0.01cvss —epss 0.09
Integer overflow in the StreamPredictor::StreamPredictor function in xpdf 3.02, as used in (1) poppler before 0.5.91, (2) gpdf before 2.8.2, (3) kpdf, (4) kdegraphics, (5) CUPS, (6) PDFedit, and other products, might allow remote attackers to execute arbitrary code via a crafted…
- CVE-2005-0064May 2, 2005risk 0.01cvss —epss 0.07
Buffer overflow in the Decrypt::makeFileKey2 function in Decrypt.cc for xpdf 3.00 and earlier allows remote attackers to execute arbitrary code via a PDF file with a large /Encrypt /Length keyLength value.
- CVE-2004-0888Jan 27, 2005risk 0.01cvss —epss 0.09
Multiple integer overflows in xpdf 2.0 and 3.0, and other packages that use xpdf code such as CUPS, gpdf, and kdegraphics, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code, a different set of vulnerabilities than those identified by…
- CVE-2004-1125Jan 10, 2005risk 0.01cvss —epss 0.07
Buffer overflow in the Gfx::doImage function in Gfx.cc for xpdf 3.00, and other products that share code such as tetex-bin and kpdf in KDE 3.2.x to 3.2.3 and 3.3.x to 3.3.2, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary…
- CVE-2026-4407Mar 18, 2026risk 0.00cvss —epss 0.00
Out-of-bounds array write in Xpdf 4.06 and earlier, due to incorrect validation of the "N" field in ICCBased color spaces.
- CVE-2024-7868Aug 15, 2024risk 0.00cvss —epss 0.00
In Xpdf 4.05 (and earlier), invalid header info in a DCT (JPEG) stream can lead to an uninitialized variable in the DCT decoder. The proof-of-concept PDF file causes a segfault attempting to read from an invalid address.
- CVE-2024-7867Aug 15, 2024risk 0.00cvss —epss 0.00
In Xpdf 4.05 (and earlier), very large coordinates in a page box can cause an integer overflow and divide-by-zero.
- CVE-2024-7866Aug 15, 2024risk 0.00cvss —epss 0.00
In Xpdf 4.05 (and earlier), a PDF object loop in a pattern resource leads to infinite recursion and a stack overflow.
- CVE-2024-4976May 15, 2024risk 0.00cvss —epss 0.00
Out-of-bounds array write in Xpdf 4.05 and earlier, due to missing object type check in AcroForm field reference.
- CVE-2024-4568May 6, 2024risk 0.00cvss —epss 0.00
In Xpdf 4.05 (and earlier), a PDF object loop in the PDF resources leads to infinite recursion and a stack overflow.
- CVE-2024-4141Apr 24, 2024risk 0.00cvss —epss 0.00
Out-of-bounds array write in Xpdf 4.05 and earlier, triggered by an invalid character code in a Type 1 font. The root problem was a bounds check that was being optimized away by modern compilers.
- CVE-2024-3900Apr 17, 2024risk 0.00cvss —epss 0.00
Out-of-bounds array write in Xpdf 4.05 and earlier, triggered by long Unicode sequence in ActualText.
- CVE-2024-3248Apr 2, 2024risk 0.00cvss —epss 0.00
In Xpdf 4.05 (and earlier), a PDF object loop in the attachments leads to infinite recursion and a stack overflow.
- CVE-2024-3247Apr 2, 2024risk 0.00cvss —epss 0.00
In Xpdf 4.05 (and earlier), a PDF object loop in an object stream leads to infinite recursion and a stack overflow.
- CVE-2024-2971Mar 26, 2024risk 0.00cvss —epss 0.00
Out-of-bounds array write in Xpdf 4.05 and earlier, triggered by negative object number in indirect reference in the input PDF file.
- CVE-2022-48545Aug 22, 2023risk 0.00cvss —epss 0.00
An infinite recursion in Catalog::findDestInTree can cause denial of service for xpdf 4.02.
- CVE-2023-3436Jun 27, 2023risk 0.00cvss —epss 0.00
Xpdf 4.04 will deadlock on a PDF object stream whose "Length" field is itself in another object stream.
Page 1 of 4