CVE-2021-37220Out-of-bounds Write in Mupdf

CWE-787Out-of-bounds Write6 documents6 sources
Severity
5.5MEDIUMNVD
EPSS
0.2%
top 57.06%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Artifex MupdfFedoraproject Fedora
Timeline
PublishedJul 21
Latest updateOct 16

Description

MuPDF through 1.18.1 has an out-of-bounds write because the cached color converter does not properly consider the maximum key size of a hash table. This can, for example, be seen with crafted "mutool draw" input.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages2 packages

Debianartifex/mupdf< 1.17.0+ds1-2+3
NVDartifex/mupdf1.18.1

Also affects: Fedora 34

🔴Vulnerability Details

3
GHSA
GHSA-244v-xghf-wq26: MuPDF through 12022-05-24
CVEList
CVE-2021-37220: MuPDF through 12021-07-21
OSV
CVE-2021-37220: MuPDF through 12021-07-21

📋Vendor Advisories

2
Ubuntu
MuPDF vulnerabilities2025-10-16
Debian
CVE-2021-37220: mupdf - MuPDF through 1.18.1 has an out-of-bounds write because the cached color convert...2021
CVE-2021-37220 — Out-of-bounds Write in Artifex Mupdf | cvebase