Description
A flaw was found in Poppler's Splash backend. A remote attacker could exploit this vulnerability by crafting a malicious PDF file that, when rendered, triggers an integer overflow in the `tilingPatternFill` function. This overflow leads to an undersized heap memory allocation, allowing a subsequent out-of-bounds write. Successful exploitation could result in arbitrary code execution, information disclosure, or denial of service within the context of the application processing the PDF.
Published: 2026-06-01
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Poppler’s Splash backend contains an integer overflow in the tilingPatternFill function. The unchecked multiplication of pattern dimensions results in an undersized heap allocation, allowing an out‑of‑bounds write. This overflow can be exploited by a remote attacker through a crafted PDF file, leading to arbitrary code execution, information disclosure or denial of service within the processing application. The flaw is classified as CWE‑190: Integer Overflow or Wraparound.

Affected Systems

This vulnerability affects systems that use the Poppler library as part of the Poppler Splash backend. Red Hat customers running Red Hat Enterprise Linux 10, 6, 7, 8 or 9, as well as Red Hat Hardened Images, are impacted through the bundled Poppler libraries. Exact product versions are not specified beyond the distribution names, but any release that includes an affected Poppler build is vulnerable.

Risk and Exploitability

The CVSS v3 score of 7.8 indicates high severity. No EPSS score is provided, so the current exploitation probability is unknown, but being a remote code execution flaw accessed via user‑supplied PDF content makes it an attractive target for attackers. It is not listed in the CISA KEV catalog at this time. The typical attack path involves a malicious PDF being opened with an application that uses Poppler; from that point the overflow can be triggered, allowing the attacker to execute code with the privileges of the rendering process.

Generated by OpenCVE AI on June 1, 2026 at 18:21 UTC.

Remediation

Vendor Workaround

To mitigate this issue, users should avoid opening untrusted or suspicious PDF documents with applications that utilize the Poppler library for rendering. Limiting exposure to untrusted content can reduce the risk of exploitation.

OpenCVE Recommended Actions

  • If a newer Poppler version or vendor patch that fixes the integer overflow is available, upgrade immediately.
  • Limit exposure by disabling or removing PDF rendering capabilities in applications that use Poppler, or replace them with safer alternatives.
  • Avoid opening untrusted or suspicious PDF documents; apply the suggested workaround of restricting PDF handling to environments where user input can be trusted.

Generated by OpenCVE AI on June 1, 2026 at 18:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6334-1 poppler security update
Ubuntu USN Ubuntu USN USN-8400-1 poppler vulnerability
History

Wed, 10 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:9 cpe:/a:redhat:enterprise_linux:9::appstream
cpe:/a:redhat:enterprise_linux:9::crb
References

Wed, 10 Jun 2026 11:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:10

Wed, 10 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:8 cpe:/a:redhat:enterprise_linux:8::appstream
cpe:/a:redhat:enterprise_linux:8::crb
cpe:/o:redhat:enterprise_linux:10.2
References

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat hardened Images
Vendors & Products Redhat hardened Images

Tue, 02 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 01 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in Poppler's Splash backend. A remote attacker could exploit this vulnerability by crafting a malicious PDF file that, when rendered, triggers an integer overflow in the `tilingPatternFill` function. This overflow leads to an undersized heap memory allocation, allowing a subsequent out-of-bounds write. Successful exploitation could result in arbitrary code execution, information disclosure, or denial of service within the context of the application processing the PDF.
Title Poppler: integer overflow in poppler splashoutputdev::tilingpatternfill leads to heap buffer overflow via unchecked dimension multiplication
First Time appeared Redhat
Redhat enterprise Linux
Redhat hummingbird
Weaknesses CWE-190
CPEs cpe:/a:redhat:hummingbird:1
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
Redhat hummingbird
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Redhat Enterprise Linux Hardened Images Hummingbird
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-15T18:34:16.731Z

Reserved: 2026-05-29T17:18:50.666Z

Link: CVE-2026-10118

cve-icon Vulnrichment

Updated: 2026-06-01T19:34:07.472Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-01T17:16:39.500

Modified: 2026-06-10T12:16:24.837

Link: CVE-2026-10118

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-01T15:25:35Z

Links: CVE-2026-10118 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T20:54:21Z

Weaknesses
  • CWE-190

    Integer Overflow or Wraparound