2463367 – (CVE-2026-7233) CVE-2026-7233 mupdf: Artifex MuPDF: Information disclosure due to out-of-bounds read

Bug 2463367 (CVE-2026-7233) - CVE-2026-7233 mupdf: Artifex MuPDF: Information disclosure due to out-of-bounds read

Summary: CVE-2026-7233 mupdf: Artifex MuPDF: Information disclosure due to out-of-boun...

Keywords:
Status:	NEW
Alias:	CVE-2026-7233
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2463401 2463402
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-28 07:01 UTC by OSIDB Bzimport
Modified:	2026-04-28 13:11 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-28 07:01:57 UTC

A vulnerability was determined in Artifex MuPDF up to 1.28.0. The impacted element is the function fz_subset_cff_for_gids of the file subset-cff.c of the component CFF Index Handler. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through a bug report but has not responded yet.

Comment 2 Michael J Gruber 2026-04-28 13:11:56 UTC

This is the upstream bug:

https://bugs.ghostscript.com/show_bug.cgi?id=709328

Note You need to log in before you can comment on or make changes to this bug.