CVE-2018-1000036 — Missing Release of Resource after Effective Lifetime in Mupdf

CWE-772 — Missing Release of Resource after Effective Lifetime9 documents7 sources

Severity

5.5MEDIUMNVD

EPSS

0.3%

top 48.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Artifex Mupdf Debian Linux

Timeline

PublishedMay 24

Latest updateOct 16

Description

In Artifex MuPDF 1.12.0 and earlier, multiple memory leaks in the PDF parser allow an attacker to cause a denial of service (memory leak) via a crafted file.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

▶Debianartifex/mupdf< 1.14.0+ds1-1+3

▶Ubuntuartifex/mupdf< 1.7a-1ubuntu0.1~esm1+2

▶NVDartifex/mupdf1.12.0

Also affects: Debian Linux 9.0

🔴Vulnerability Details

OSV

mupdf vulnerabilities↗2025-10-16

▶

GHSA

GHSA-cqwp-8vf4-jg4p: In MuPDF 1↗2022-05-13

▶

CVEList

CVE-2018-1000036: In Artifex MuPDF 1↗2018-05-24

▶

OSV

CVE-2018-1000036: In Artifex MuPDF 1↗2018-05-24

▶

📋Vendor Advisories

Ubuntu

MuPDF vulnerabilities↗2025-10-16

▶

Debian

CVE-2018-1000036: mupdf - In Artifex MuPDF 1.12.0 and earlier, multiple memory leaks in the PDF parser all...↗2018

▶

💬Community

Bugzilla

CVE-2018-1000036 mupdf: memory leaks in the PDF parser↗2018-05-24

▶

Bugzilla

CVE-2018-1000036 CVE-2018-1000037 CVE-2018-1000038 CVE-2018-1000039 CVE-2018-1000040 mupdf: various flaws [fedora-all]↗2018-05-24

▶