An issue in Artifex mupdf 1.25.6, 1.25.5 allows a remote attacker to cause a denial of service via an infinite recursion in the `mutool clean` utility. When processing a crafted PDF file containing cyclic /Next references in the outline structure, the `strip_outline()` function enters infinite recursion
https://nvd.nist.gov/vuln/detail/CVE-2025-46206 (which should have been linked in the bug) points at the upstream bug and fix: https://bugs.ghostscript.com/show_bug.cgi?id=708521 https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=0ec7e4d2201bb6df217e01c17396d36297abf9ac This has also been backported upstream to the 1.26.x branch right before releasing mupdf 1.26.0: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=2712e9e4404efd2f47a0a0d342b0c9d5b4ad1522 ... necessitating the fixup for the fix in d3ed4b89b6d05c89b3b4eef423dc60ba56e8b3d5 As such, the bug is invalid on F42 which has had mupdf 1.26.3 for 4 weeks. For the others I'll see about backporting (upstream considers 1.26.x the maintenance branch and 1.25.x EOL, which clashes with our branch policies).
Just so that it doesn't get lost: EPEL for RHEL 10.0 cannot see a fix for the reasons outlined in the EPEL 10 bug.