2458866 – (CVE-2026-40505) CVE-2026-40505 MuPDF: MuPDF mutool: Terminal manipulation through unsanitized PDF metadata

Bug 2458866 (CVE-2026-40505) - CVE-2026-40505 MuPDF: MuPDF mutool: Terminal manipulation through unsanitized PDF metadata

Summary: CVE-2026-40505 MuPDF: MuPDF mutool: Terminal manipulation through unsanitized...

Keywords:
Status:	NEW
Alias:	CVE-2026-40505
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-16 02:02 UTC by OSIDB Bzimport
Modified:	2026-04-16 10:24 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-16 02:02:03 UTC

MuPDF mutool does not sanitize PDF metadata fields before writing them to terminal output, allowing attackers to inject arbitrary ANSI escape sequences through crafted PDF metadata. Attackers can embed malicious ANSI escape codes in PDF metadata that are passed unsanitized to the terminal when running mutool info, enabling them to clear the terminal display and render arbitrary text for social engineering attacks such as presenting fake prompts or spoofed commands.

Note You need to log in before you can comment on or make changes to this bug.