Description
MuPDF versions 1.23.0 through 1.27.0 contain a double-free vulnerability in fz_fill_pixmap_from_display_list() when an exception occurs during display list rendering. The function accepts a caller-owned fz_pixmap pointer but incorrectly drops the pixmap in its error handling path before rethrowing the exception. Callers (including the barcode decoding path in fz_decode_barcode_from_display_list) also drop the same pixmap in cleanup, resulting in a double-free that can corrupt the heap and crash the process. This issue affects applications that enable and use MuPDF barcode decoding and can be triggered by processing crafted input that causes a rendering-time error while decoding barcodes.
Published: 2026-02-06
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Heap corruption due to a double‑free that can crash the process
Action: Patch MuPDF immediately
AI Analysis

Impact

The vulnerability arises in MuPDF versions 1.23.0 through 1.27.0 when an exception occurs during display list rendering while processing a barcode. The function fz_fill_pixmap_from_display_list incorrectly frees a caller‑owned pixmap in its error path, and the caller later frees the same pixmap in cleanup, producing a double‑free. This flaw allows heap corruption and can terminate the application.

Affected Systems

MuPDF, a PDF and XPS rendering engine from Artifex Software, is affected for all releases from 1.23.0 up to and including 1.27.0. Applications that enable MuPDF barcode decoding and process user documents are therefore impacted.

Risk and Exploitability

The CVSS score is 5.9 and the EPSS score is under 1 %, indicating a low likelihood of active exploitation. The flaw is not listed in the CISA KEV catalog. An attacker can trigger the issue by delivering a specially crafted document that causes a rendering-time error during barcode decoding. This results in a deterministic heap corruption that usually crashes the process, affecting availability and potentially enabling further exploitation if additional vulnerabilities exist. The primary attack vector therefore requires the attacker to supply malicious content to a MuPDF‑using application.

Generated by OpenCVE AI on April 16, 2026 at 17:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MuPDF to version 1.28 or later, which contains the patch for the double‑free bug.
  • If an upgrade is not immediately possible, disable or remove the barcode decoding feature from the MuPDF integration until a patch is applied.
  • Run MuPDF in a sandboxed or restricted environment and validate input files before rendering to limit the impact of any additional memory‑corruption vulnerabilities.

Generated by OpenCVE AI on April 16, 2026 at 17:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:artifex:mupdf:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Tue, 10 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-763
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Artifex
Artifex mupdf
Vendors & Products Artifex
Artifex mupdf

Fri, 06 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
Description MuPDF versions 1.23.0 through 1.27.0 contain a double-free vulnerability in fz_fill_pixmap_from_display_list() when an exception occurs during display list rendering. The function accepts a caller-owned fz_pixmap pointer but incorrectly drops the pixmap in its error handling path before rethrowing the exception. Callers (including the barcode decoding path in fz_decode_barcode_from_display_list) also drop the same pixmap in cleanup, resulting in a double-free that can corrupt the heap and crash the process. This issue affects applications that enable and use MuPDF barcode decoding and can be triggered by processing crafted input that causes a rendering-time error while decoding barcodes.
Title MuPDF <= 1.27.0 Barcode Decoding Double Free
Weaknesses CWE-415
References
Metrics cvssV4_0

{'score': 5.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Artifex Mupdf
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:30:44.730Z

Reserved: 2026-02-02T20:12:33.395Z

Link: CVE-2026-25556

cve-icon Vulnrichment

Updated: 2026-02-06T16:35:03.314Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T17:16:27.387

Modified: 2026-02-24T21:07:13.627

Link: CVE-2026-25556

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-06T16:11:59Z

Links: CVE-2026-25556 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:30:26Z

Weaknesses