CVE-2018-1000039 — Use After Free in Mupdf

CWE-416 — Use After Free8 documents7 sources

Severity

6.3MEDIUMNVD

EPSS

0.7%

top 27.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Artifex Mupdf

Timeline

PublishedMay 24

Latest updateMar 20

Description

In Artifex MuPDF 1.12.0 and earlier, multiple heap use after free bugs in the PDF parser could allow an attacker to execute arbitrary code, read memory, or cause a denial of service via a crafted file.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:LExploitability: 2.8 | Impact: 3.4

Affected Packages2 packages

▶Debianartifex/mupdf< 1.13.0+ds1-1+3

▶NVDartifex/mupdf1.12.0

Patches

Patch: bugs.chromium.org ↗Patch: bugs.chromium.org ↗Patch: bugs.chromium.org ↗

🔴Vulnerability Details

GHSA

GHSA-mv25-m6g9-hcg7: In MuPDF 1↗2022-05-14

▶

OSV

CVE-2018-1000039: In Artifex MuPDF 1↗2018-05-24

▶

CVEList

CVE-2018-1000039: In Artifex MuPDF 1↗2018-05-24

▶

📋Vendor Advisories

Debian

CVE-2018-1000039: mupdf - In Artifex MuPDF 1.12.0 and earlier, multiple heap use after free bugs in the PD...↗2018

▶

📄Research Papers

arXiv

Fat Pointers for Temporal Memory Safety of C↗2023-03-20

▶

💬Community

Bugzilla

CVE-2018-1000036 CVE-2018-1000037 CVE-2018-1000038 CVE-2018-1000039 CVE-2018-1000040 mupdf: various flaws [fedora-all]↗2018-05-24

▶

Bugzilla

CVE-2018-1000039 mupdf: multiple use after free in the PDF parser↗2018-05-24

▶