2390608 – (CVE-2025-9394) CVE-2025-9394 PoDoFo: PoDoFo PDF Dictionary PdfTokenizer.cpp DetermineDataType use after free

Bug 2390608 (CVE-2025-9394) - CVE-2025-9394 PoDoFo: PoDoFo PDF Dictionary PdfTokenizer.cpp DetermineDataType use after free

Summary: CVE-2025-9394 PoDoFo: PoDoFo PDF Dictionary PdfTokenizer.cpp DetermineDataTyp...

Keywords:
Status:	NEW
Alias:	CVE-2025-9394
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-08-24 17:01 UTC by OSIDB Bzimport
Modified:	2025-08-31 18:16 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-08-24 17:01:13 UTC

A flaw has been found in PoDoFo 1.1.0-dev. This issue affects the function PdfTokenizer::DetermineDataType of the file src/podofo/main/PdfTokenizer.cpp of the component PDF Dictionary Parser. Executing manipulation can lead to use after free. It is possible to launch the attack on the local host. The exploit has been published and may be used. This patch is called 22d16cb142f293bf956f66a4d399cdd65576d36c. A patch should be applied to remediate this issue.

Note You need to log in before you can comment on or make changes to this bug.