Description
An integer overflow vulnerability in 'pdf-image.c' in Artifex's MuPDF version 1.27.0 allows an attacker to maliciously craft a PDF that can trigger an integer overflow within the 'pdf_load_image_imp' function. This allows a heap out-of-bounds write that could be exploited for arbitrary code execution.
Published: 2026-03-31
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Code execution
Action: Patch immediately
AI Analysis

Impact

An integer overflow occurs in the pdf_load_image_imp function of MuPDF 1.27.0 when processing a PDF file. A maliciously crafted PDF can trigger an out‑of‑bounds write on the heap, potentially allowing arbitrary code execution. The flaw is a classic integer overflow that results in buffer corruption.

Affected Systems

The vulnerability affects Artifex Software Inc’s MuPDF library, version 1.27.0. Any system that incorporates this specific version and processes PDF documents using the vulnerable function is susceptible. Users running newer releases or patch releases are not impacted.

Risk and Exploitability

The flaw carries a high impact due to its ability to execute arbitrary code. No CVSS score is published, but the nature of the heap corruption suggests serious exploitation risk. There is no EPSS score or KEV listing, so the exact probability of exploitation is unknown; however, the vulnerability can be triggered by any entity able to provide a crafted PDF to the application, implying a remote or local attack vector. Until a vendor patch is applied, systems should assume the attack is plausible.

Generated by OpenCVE AI on March 31, 2026 at 14:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update MuPDF to the latest version that addresses the integer overflow vulnerability.
  • If an update is not immediately available, restrict the use of MuPDF to trusted, signed PDFs only and disable processing of untrusted PDFs.
  • Verify the effect of the update by performing regression tests and validating no new vulnerabilities.

Generated by OpenCVE AI on March 31, 2026 at 14:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Artifex
Artifex mupdf
Weaknesses CWE-122
CWE-680
Vendors & Products Artifex
Artifex mupdf

Tue, 31 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
Description An integer overflow vulnerability in 'pdf-image.c' in Artifex's MuPDF version 1.27.0 allows an attacker to maliciously craft a PDF that can trigger an integer overflow within the 'pdf_load_image_imp' function. This allows a heap out-of-bounds write that could be exploited for arbitrary code execution.
Title CVE-2026-3308
References

Subscriptions

Artifex Mupdf
cve-icon MITRE

Status: PUBLISHED

Assigner: certcc

Published:

Updated: 2026-04-01T14:48:14.433Z

Reserved: 2026-02-26T21:04:05.303Z

Link: CVE-2026-3308

cve-icon Vulnrichment

Updated: 2026-04-01T14:45:57.255Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-31T14:16:12.560

Modified: 2026-04-01T16:23:51.103

Link: CVE-2026-3308

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:38:40Z

Weaknesses