Bug 2437835 (CVE-2026-25556) - CVE-2026-25556 MuPDF: MuPDF: Denial of Service via crafted input during barcode decoding
Summary: CVE-2026-25556 MuPDF: MuPDF: Denial of Service via crafted input during barco...
Keywords:
Status: NEW
Alias: CVE-2026-25556
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2437972 2437973 2437974 2437975
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-02-09 11:08 UTC by OSIDB Bzimport
Modified: 2026-02-09 17:26 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-02-09 11:08:52 UTC 
MuPDF versions 1.23.0 through 1.27.0 contain a double-free vulnerability in fz_fill_pixmap_from_display_list() when an exception occurs during display list rendering. The function accepts a caller-owned fz_pixmap pointer but incorrectly drops the pixmap in its error handling path before rethrowing the exception. Callers (including the barcode decoding path in fz_decode_barcode_from_display_list) also drop the same pixmap in cleanup, resulting in a double-free that can corrupt the heap and crash the process. This issue affects applications that enable and use MuPDF barcode decoding and can be triggered by processing crafted input that causes a rendering-time error while decoding barcodes.
Comment 2 Michael J Gruber 2026-02-09 17:26:27 UTC 
Again, this report is partially wrong (versions below .1.26.0 do not even have barcode support) and misses the most relevant information (upstream bug and fix). Can we have these automatic buggers to be more helpful please?

https://bugs.ghostscript.com/show_bug.cgi?id=709029

https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=d4743b6092d513321c23c6f7fe5cff87cde043c1
Note You need to log in before you can comment on or make changes to this bug.