cbcvebase.
CVE-2025-32365
published 2025-04-05

CVE-2025-32365: Poppler before 25.04.0 allows crafted input files to trigger out-of-bounds reads in the JBIG2Bitmap::combine function in JBIG2Stream.cc because of a misplaced…

PriorityP427high7.1CVSS 3.1
AVLACLPRNUIRSUCHINAH
EPSS
0.22%
12.2th percentile
Poppler before 25.04.0 allows crafted input files to trigger out-of-bounds reads in the JBIG2Bitmap::combine function in JBIG2Stream.cc because of a misplaced isOk check.

Affected

6 ranges
VendorProductVersion rangeFixed in
debianpoppler< poppler 22.12.0-2+deb12u1 (bookworm)poppler 22.12.0-2+deb12u1 (bookworm)
freedesktoppoppler< 25.04.025.04.0
freedesktoppoppler>= 0 < 20.09.0-3.1+deb11u220.09.0-3.1+deb11u2
freedesktoppoppler>= 0 < 22.12.0-2+deb12u122.12.0-2+deb12u1
freedesktoppoppler>= 0 < 25.03.0-325.03.0-3
freedesktoppoppler>= 0 < 25.03.0-325.03.0-3

CVSS provenance

nvdv3.17.1HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
osv7.1HIGH
vendor_debian4.0MEDIUM
vendor_redhat4.0MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.