Skip to main content

CISA issues update on MuPDF integer overflow vulnerability

April 2, 2026

Artifex MuPDF versions up to and including 1.27.0 contain an integer overflow vulnerability that can be triggered with a specially crafted PDF, leading to out-of-bounds heap writes during PDF image decoding. Successful exploitation may cause application crashes and memory corruption or allow arbitrary code execution within the context of the application rendering the PDF.

The vulnerability is tracked as CVE-2026-3308. The issue is in pdf_load_image_Incident Management Plan (IMP), which prepares image data for decoding. The function uses image parameters w (width), h (height), and bpc (bits per component) to determine memory allocation for image decoding. The implementation validates these parameters against SIZE_MAX rather than INT_MAX, but stride calculations use integer-sized values, so the check does not sufficiently protect against integer overflow when exceedingly large values are supplied. When the overflow occurs, corrupted values are passed into fz_unpack_stream, which expands packed image samples into a destination buffer during image decoding. Because the too-small overflow value is used to calculate the size of the destination buffer, insufficient memory is allocated, and fz_unpack_stream performs a write beyond the bounds of the allocated heap buffer.

Successful exploitation results in a heap out-of-bounds write during PDF image decoding. This condition may cause application crashes and memory corruption, or could potentially allow arbitrary code execution within the context of the application rendering the PDF.

The vendor was unreachable to coordinate the vulnerability. Until a complete fix is available, users are advised to avoid processing untrusted PDF files with affected MuPDF-based applications where possible. For applications that rely on MuPDF, the guidance is to isolate document rendering in a sandboxed or low-privilege process and to disable automatic rendering or conversion of untrusted files if feasible. A Pull Request (PR) with the fix is available at https://github.com/ArtifexSoftware/mupdf/pull/87.

The advisory guidance notes that because the vulnerability is triggered during standard PDF parsing operations, systems that automatically process or render untrusted PDF files using MuPDF may be affected.