Artifex Mupdf

MuPDF <=1.28.0 OOB Read in CFF Index Handler (fz_subset_cff_for_gids)
CVE-2026-7233 3.3 - Low - April 28, 2026

A vulnerability was determined in Artifex MuPDF up to 1.28.0. The impacted element is the function fz_subset_cff_for_gids of the file subset-cff.c of the component CFF Index Handler. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through a bug report but has not responded yet.

Out-of-bounds Read

MuPDF mutool CLI Injection via Unsanitized PDF Metadata ANSI Escape
CVE-2026-40505 3.3 - Low - April 16, 2026

MuPDF before 1.27 contains an ANSI injection vulnerability in mutool that allows attackers to inject arbitrary ANSI escape sequences through crafted PDF metadata fields. Attackers can embed malicious ANSI escape codes in PDF metadata that are passed unsanitized to terminal output when running mutool info, enabling them to manipulate terminal display for social engineering attacks such as presenting fake prompts or spoofed commands.

Improper Neutralization of Escape, Meta, or Control Sequences

MuPDF 1.27.0 Integer Overflow in pdf_image.c via PDF Image
CVE-2026-3308 7.8 - High - March 31, 2026

An integer overflow vulnerability in 'pdf-image.c' in Artifex's MuPDF version 1.27.0 allows an attacker to maliciously craft a PDF that can trigger an integer overflow within the 'pdf_load_image_imp' function. This allows a heap out-of-bounds write that could be exploited for arbitrary code execution.

Integer Overflow or Wraparound

MuPDF Windows 1.26.1 get_system_dpi Path Traversal (Uncontrolled Search Path)
CVE-2025-15569 7 - High - February 10, 2026

A flaw has been found in Artifex MuPDF up to 1.26.1 on Windows. The impacted element is the function get_system_dpi of the file platform/x11/win_main.c. This manipulation causes uncontrolled search path. The attack requires local access. The attack is considered to have high complexity. The exploitability is regarded as difficult. Upgrading to version 1.26.2 is sufficient to resolve this issue. Patch name: ebb125334eb007d64e579204af3c264aadf2e244. Upgrading the affected component is recommended.

DLL preloading

MuPDF 1.23.0-1.27.0 Double-Free via fz_fill_pixmap_from_display_list
CVE-2026-25556 - February 06, 2026

MuPDF versions 1.23.0 through 1.27.0 contain a double-free vulnerability in fz_fill_pixmap_from_display_list() when an exception occurs during display list rendering. The function accepts a caller-owned fz_pixmap pointer but incorrectly drops the pixmap in its error handling path before rethrowing the exception. Callers (including the barcode decoding path in fz_decode_barcode_from_display_list) also drop the same pixmap in cleanup, resulting in a double-free that can corrupt the heap and crash the process. This issue affects applications that enable and use MuPDF barcode decoding and can be triggered by processing crafted input that causes a rendering-time error while decoding barcodes.

Double-free

MuPDF 1.26.4 NPE in break_word_for_overflow_wrap() during EPUB rendering
CVE-2025-55780 7.5 - High - September 23, 2025

A null pointer dereference occurs in the function break_word_for_overflow_wrap() in MuPDF 1.26.4 when rendering a malformed EPUB document. Specifically, the function calls fz_html_split_flow() to split a FLOW_WORD node, but does not check if node->next is valid before accessing node->next->overflow_wrap, resulting in a crash if the split fails or returns a partial node chain.

NULL Pointer Dereference

DoS via Infinite Recursion in mutool clean (Artifex MuPDF 1.25.5/1.25.6)
CVE-2025-46206 - August 04, 2025

An issue in Artifex mupdf 1.25.6, 1.25.5 allows a remote attacker to cause a denial of service via an infinite recursion in the `mutool clean` utility. When processing a crafted PDF file containing cyclic /Next references in the outline structure, the `strip_outline()` function enters infinite recursion

Artifex Software MuPDF Segmentation Fault Vulnerability in pdfextract Component
CVE-2024-46657 - December 10, 2024

Artifex Software mupdf v1.24.9 was discovered to contain a segmentation fault via the component /tools/pdfextract.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted PDF file.

freeglut 3.4.0 mem leak via menuEntry in glutAddSubMenu
CVE-2024-24258 7.5 - High - February 05, 2024

freeglut 3.4.0 was discovered to contain a memory leak via the menuEntry variable in the glutAddSubMenu function.

Memory Leak

FreeGLUT <=3.4.0 Memory Leak via glutAddMenuEntry
CVE-2024-24259 7.5 - High - February 05, 2024

freeglut through 3.4.0 was discovered to contain a memory leak via the menuEntry variable in the glutAddMenuEntry function.

Memory Leak

Artifex MuPDF 1.23.4 FP divide-by-zero in pixmap.c
CVE-2023-51103 7.5 - High - December 26, 2023

A floating point exception (divide-by-zero) vulnerability was discovered in Artifex MuPDF 1.23.4 in the function fz_new_pixmap_from_float_data() of pixmap.c.

Divide By Zero

MuPDF 1.23.4 Divide-by-Zero in compute_color() FPE Vulnerability
CVE-2023-51107 7.5 - High - December 26, 2023

A floating point exception (divide-by-zero) vulnerability was discovered in Artifex MuPDF 1.23.4 in functon compute_color() of jquant2.c. NOTE: this is disputed by the supplier because there was not reasonable evidence to determine the existence of a vulnerability or identify the affected product.

Divide By Zero

FP Exception in MuPDF 1.23.4 pnm_binary_read_image
CVE-2023-51106 7.5 - High - December 26, 2023

A floating point exception (divide-by-zero) vulnerability was discovered in mupdf 1.23.4 in function pnm_binary_read_image() of load-pnm.c when fz_colorspace_n returns zero.

Divide By Zero

MuPDF 1.23.4: Float Exception in bmp_decompress_rle4() BMP Decompressor
CVE-2023-51105 7.5 - High - December 26, 2023

A floating point exception (divide-by-zero) vulnerability was discovered in Artifex MuPDF 1.23.4 in function bmp_decompress_rle4() of load-bmp.c.

Divide By Zero

MuPDF 1.23.4 FP Exception via pnm_binary_read_image() Divz
CVE-2023-51104 7.5 - High - December 26, 2023

A floating point exception (divide-by-zero) vulnerability was discovered in Artifex MuPDF 1.23.4 in function pnm_binary_read_image() of load-pnm.c when span equals zero.

Divide By Zero

MuPDF 1.21.1 DoS via Infinite Recursion in pdf_mark_list_push
CVE-2023-31794 5.5 - Medium - October 31, 2023

MuPDF v1.21.1 was discovered to contain an infinite recursion in the component pdf_mark_list_push. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted PDF file.

Stack Exhaustion

MuPDF 1.17.0 memory leak via pdf-font-add.c leads to info leak
CVE-2020-26683 5.5 - Medium - August 22, 2023

A memory leak issue discovered in /pdf/pdf-font-add.c in Artifex Software MuPDF 1.17.0 allows attackers to obtain sensitive information.

Memory Leak

MuPDF 1.16.0 UAF in svg_dev_text_span_as_paths_defs
CVE-2020-21896 - August 22, 2023

A Use After Free vulnerability in svg_dev_text_span_as_paths_defs function in source/fitz/svg-device.c in Artifex Software MuPDF 1.16.0 allows remote attackers to cause a denial of service via opening of a crafted PDF file.

Mupdf 1.20.0-rc1: Muraster.c FP Division-by-Zero
CVE-2021-4216 5.5 - Medium - August 26, 2022

A Floating point exception (division-by-zero) flaw was found in Mupdf for zero width pages in muraster.c. It is fixed in Mupdf-1.20.0-rc1 upstream.

Divide By Zero

MuPDF through 1.18.1 has an out-of-bounds write
CVE-2021-37220 5.5 - Medium - July 21, 2021

MuPDF through 1.18.1 has an out-of-bounds write because the cached color converter does not properly consider the maximum key size of a hash table. This can, for example, be seen with crafted "mutool draw" input.

Memory Corruption

Artifex MuPDF before 1.18.0 has a heap based buffer over-write in tiff_expand_colormap() function when parsing TIFF files
CVE-2020-19609 - July 21, 2021

Artifex MuPDF before 1.18.0 has a heap based buffer over-write in tiff_expand_colormap() function when parsing TIFF files allowing attackers to cause a denial of service.

A flaw was found in mupdf 1.18.0
CVE-2021-3407 5.5 - Medium - February 23, 2021

A flaw was found in mupdf 1.18.0. Double free of object during linearization may lead to memory corruption and other potential consequences.

Double-free

A Use After Free vulnerability exists in Artifex Software, Inc
CVE-2020-16600 - December 09, 2020

A Use After Free vulnerability exists in Artifex Software, Inc. MuPDF library 1.17.0-rc1 and earlier when a valid page was followed by a page with invalid pixmap dimensions, causing bander - a static - to point to previously freed memory instead of a newband_writer.

Artifex MuPDF before 1.18.0 has a heap based buffer over-write when parsing JBIG2 files
CVE-2020-26519 5.5 - Medium - October 02, 2020

Artifex MuPDF before 1.18.0 has a heap based buffer over-write when parsing JBIG2 files allowing attackers to cause a denial of service.

Memory Corruption

SumatraPDF 2.1.1/MuPDF 1.0
CVE-2012-5340 - January 23, 2020

SumatraPDF 2.1.1/MuPDF 1.0 allows remote attackers to cause an Integer Overflow in the lex_number() function via a corrupt PDF file.

Artifex MuPDF before 1.16.0 has a heap-based buffer over-read in fz_chartorune in fitz/string.c
CVE-2019-14975 - August 14, 2019

Artifex MuPDF before 1.16.0 has a heap-based buffer over-read in fz_chartorune in fitz/string.c because pdf/pdf-op-filter.c does not check for a missing string.

Artifex MuPDF 1.15.0 has a heap-based buffer overflow in fz_append_display_node located at fitz/list-device.c
CVE-2019-13290 - July 04, 2019

Artifex MuPDF 1.15.0 has a heap-based buffer overflow in fz_append_display_node located at fitz/list-device.c, allowing remote attackers to execute arbitrary code via a crafted PDF file. This occurs with a large BDC property name that overflows the allocated size of a display list node.

Usage of an uninitialized variable in the function fz_load_jpeg in Artifex MuPDF 1.14 can result in a heap overflow vulnerability
CVE-2019-7321 9.8 - Critical - June 13, 2019

Usage of an uninitialized variable in the function fz_load_jpeg in Artifex MuPDF 1.14 can result in a heap overflow vulnerability that allows an attacker to execute arbitrary code.

Memory Corruption

Artifex MuPDF 1.14.0 has a SEGV in the function fz_load_page of the fitz/document.c file, as demonstrated by mutool
CVE-2019-6130 5.5 - Medium - January 11, 2019

Artifex MuPDF 1.14.0 has a SEGV in the function fz_load_page of the fitz/document.c file, as demonstrated by mutool. This is related to page-number mishandling in cbz/mucbz.c, cbz/muimg.c, and svg/svg-doc.c.

Range Error

svg-run.c in Artifex MuPDF 1.14.0 has infinite recursion with stack consumption in svg_run_use_symbol
CVE-2019-6131 5.5 - Medium - January 11, 2019

svg-run.c in Artifex MuPDF 1.14.0 has infinite recursion with stack consumption in svg_run_use_symbol, svg_run_element, and svg_run_use, as demonstrated by mutool.

Stack Exhaustion

In Artifex MuPDF 1.14.0, the svg_run_image function in svg/svg-run.c
CVE-2018-19882 5.5 - Medium - December 06, 2018

In Artifex MuPDF 1.14.0, the svg_run_image function in svg/svg-run.c allows remote attackers to cause a denial of service (href_att NULL pointer dereference and application crash) via a crafted svg file, as demonstrated by mupdf-gl.

NULL Pointer Dereference

In Artifex MuPDF 1.14.0, svg/svg-run.c
CVE-2018-19881 5.5 - Medium - December 06, 2018

In Artifex MuPDF 1.14.0, svg/svg-run.c allows remote attackers to cause a denial of service (recursive calls followed by a fitz/xml.c fz_xml_att crash from excessive stack consumption) via a crafted svg file, as demonstrated by mupdf-gl.

Resource Exhaustion

In Artifex MuPDF 1.14.0
CVE-2018-19777 5.5 - Medium - November 30, 2018

In Artifex MuPDF 1.14.0, there is an infinite loop in the function svg_dev_end_tile in fitz/svg-device.c, as demonstrated by mutool.

Infinite Loop

There is an out-of-bounds read in fz_run_t3_glyph in fitz/font.c in Artifex MuPDF 1.14.0
CVE-2018-18662 - October 26, 2018

There is an out-of-bounds read in fz_run_t3_glyph in fitz/font.c in Artifex MuPDF 1.14.0, as demonstrated by mutool.

In Artifex MuPDF 1.13.0, the fz_append_byte function in fitz/buffer.c
CVE-2018-16648 5.5 - Medium - September 06, 2018

In Artifex MuPDF 1.13.0, the fz_append_byte function in fitz/buffer.c allows remote attackers to cause a denial of service (segmentation fault) via a crafted pdf file. This is caused by a pdf/pdf-device.c pdf_dev_alpha array-index underflow.

out-of-bounds array index

In Artifex MuPDF 1.13.0, the pdf_get_xref_entry function in pdf/pdf-xref.c
CVE-2018-16647 5.5 - Medium - September 06, 2018

In Artifex MuPDF 1.13.0, the pdf_get_xref_entry function in pdf/pdf-xref.c allows remote attackers to cause a denial of service (segmentation fault in fz_write_data in fitz/output.c) via a crafted pdf file.

Buffer Overflow

In Artifex MuPDF 1.12.0 and earlier, multiple memory leaks in the PDF parser
CVE-2018-1000036 5.5 - Medium - May 24, 2018

In Artifex MuPDF 1.12.0 and earlier, multiple memory leaks in the PDF parser allow an attacker to cause a denial of service (memory leak) via a crafted file.

Missing Release of Resource after Effective Lifetime

In Artifex MuPDF 1.12.0 and earlier, multiple use of uninitialized value bugs in the PDF parser could
CVE-2018-1000040 5.5 - Medium - May 24, 2018

In Artifex MuPDF 1.12.0 and earlier, multiple use of uninitialized value bugs in the PDF parser could allow an attacker to cause a denial of service (crash) or influence program flow via a crafted file.

Improper Input Validation

In Artifex MuPDF 1.12.0 and earlier, multiple reachable assertions in the PDF parser
CVE-2018-1000037 5.5 - Medium - May 24, 2018

In Artifex MuPDF 1.12.0 and earlier, multiple reachable assertions in the PDF parser allow an attacker to cause a denial of service (assert crash) via a crafted file.

Improper Input Validation

In Artifex MuPDF 1.12.0 and earlier, a stack buffer overflow in function pdf_lookup_cmap_full in pdf/pdf-cmap.c could
CVE-2018-1000038 7.8 - High - May 24, 2018

In Artifex MuPDF 1.12.0 and earlier, a stack buffer overflow in function pdf_lookup_cmap_full in pdf/pdf-cmap.c could allow an attacker to execute arbitrary code via a crafted file.

Memory Corruption

In Artifex MuPDF 1.12.0 and earlier, multiple heap use after free bugs in the PDF parser could
CVE-2018-1000039 7.8 - High - May 24, 2018

In Artifex MuPDF 1.12.0 and earlier, multiple heap use after free bugs in the PDF parser could allow an attacker to execute arbitrary code, read memory, or cause a denial of service via a crafted file.

Dangling pointer

An exploitable heap out of bounds write vulnerability exists in the Fitz graphical library part of the MuPDF renderer
CVE-2016-8728 7.8 - High - April 24, 2018

An exploitable heap out of bounds write vulnerability exists in the Fitz graphical library part of the MuPDF renderer. A specially crafted PDF file can cause a out of bounds write resulting in heap metadata and sensitive process memory corruption leading to potential code execution. Victim needs to open the specially crafted file in a vulnerable reader in order to trigger this vulnerability.

Memory Corruption

An exploitable memory corruption vulnerability exists in the JBIG2 parser of Artifex MuPDF 1.9
CVE-2016-8729 7.8 - High - April 24, 2018

An exploitable memory corruption vulnerability exists in the JBIG2 parser of Artifex MuPDF 1.9. A specially crafted PDF can cause a negative number to be passed to a memset resulting in memory corruption and potential code execution. An attacker can specially craft a PDF and send to the victim to trigger this vulnerability.

Buffer Overflow

In MuPDF 1.13.0, there is an infinite loop in the fz_skip_space function of the pdf/pdf-xref.c file
CVE-2018-10289 - April 22, 2018

In MuPDF 1.13.0, there is an infinite loop in the fz_skip_space function of the pdf/pdf-xref.c file. A remote adversary could leverage this vulnerability to cause a denial of service via a crafted pdf file.

Artifex Mupdf version 1.12.0 contains a Use After Free vulnerability in fz_keep_key_storable
CVE-2018-1000051 7.8 - High - February 09, 2018

Artifex Mupdf version 1.12.0 contains a Use After Free vulnerability in fz_keep_key_storable that can result in DOS / Possible code execution. This attack appear to be exploitable via Victim opens a specially crafted PDF.

Dangling pointer

pdf_load_obj_stm in pdf/pdf-xref.c in Artifex MuPDF 1.12.0 could reference the object stream recursively and therefore run out of error stack, which
CVE-2018-6544 - February 02, 2018

pdf_load_obj_stm in pdf/pdf-xref.c in Artifex MuPDF 1.12.0 could reference the object stream recursively and therefore run out of error stack, which allows remote attackers to cause a denial of service via a crafted PDF document.

In Artifex MuPDF 1.12.0, the pdf_read_new_xref function in pdf/pdf-xref.c
CVE-2018-6192 5.5 - Medium - January 24, 2018

In Artifex MuPDF 1.12.0, the pdf_read_new_xref function in pdf/pdf-xref.c allows remote attackers to cause a denial of service (segmentation violation and application crash) via a crafted pdf file.

Buffer Overflow

In Artifex MuPDF 1.12.0
CVE-2018-6187 5.5 - Medium - January 24, 2018

In Artifex MuPDF 1.12.0, there is a heap-based buffer overflow vulnerability in the do_pdf_save_document function in the pdf/pdf-write.c file. Remote attackers could leverage the vulnerability to cause a denial of service via a crafted pdf file.

Memory Corruption

In MuPDF 1.12.0, there is an infinite loop vulnerability and application hang in the pdf_parse_array function (pdf/pdf-parse.c)
CVE-2018-5686 5.5 - Medium - January 14, 2018

In MuPDF 1.12.0, there is an infinite loop vulnerability and application hang in the pdf_parse_array function (pdf/pdf-parse.c) because EOF is not considered. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted pdf file.

Infinite Loop

An integer overflow was discovered in pdf_read_new_xref_section in pdf/pdf-xref.c in Artifex MuPDF 1.11.
CVE-2017-15587 7.8 - High - October 18, 2017

An integer overflow was discovered in pdf_read_new_xref_section in pdf/pdf-xref.c in Artifex MuPDF 1.11.

Integer Overflow or Wraparound