Bug 2458866 (CVE-2026-40505)

Summary: CVE-2026-40505 MuPDF: MuPDF mutool: Terminal manipulation through unsanitized PDF metadata
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in MuPDF mutool. This vulnerability allows a local attacker to embed malicious ANSI escape sequences within a PDF's metadata. When a user views the PDF's information using the `mutool info` command, these unsanitized sequences are processed by the terminal. This can lead to the terminal displaying arbitrary text, which could be used for social engineering attacks, such as presenting fake prompts or spoofed commands to deceive the user.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-04-16 02:02:03 UTC 
MuPDF mutool does not sanitize PDF metadata fields before writing them to terminal output, allowing attackers to inject arbitrary ANSI escape sequences through crafted PDF metadata. Attackers can embed malicious ANSI escape codes in PDF metadata that are passed unsanitized to the terminal when running mutool info, enabling them to clear the terminal display and render arbitrary text for social engineering attacks such as presenting fake prompts or spoofed commands.