CVE-2022-38171

CWE-190 — Integer Overflow CWE-476 — NULL Pointer Dereference6 documents6 sources

Severity

7.8HIGH

EPSS

0.1%

top 71.22%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Freedesktop Poppler Xpdfreader Xpdf

Timeline

PublishedAug 22

Latest updateOct 10

Description

Xpdf prior to version 4.04 contains an integer overflow in the JBIG2 decoder (JBIG2Stream::readTextRegionSeg() in JBIG2Stream.cc). Processing a specially crafted PDF file or JBIG2 image could lead to a crash or the execution of arbitrary code. This is similar to the vulnerability described by CVE-2021-30860 (Apple CoreGraphics).

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

▶NVDxpdfreader/xpdf4.04

▶NVDfreedesktop/poppler< 22.09.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-wxgh-95h6-c68v: Xpdf prior to version 4↗2022-08-23

▶

OSV

CVE-2022-38171: Xpdf prior to version 4↗2022-08-22

▶

CVEList

CVE-2022-38171: Xpdf prior to version 4↗2022-08-22

▶

📋Vendor Advisories

Microsoft

Microsoft QUIC Denial of Service Vulnerability↗2023-10-10

▶

Red Hat

poppler: integer overflow in JBIG2 decoder using malformed files↗2022-08-30

▶