CVE-2025-32365
published 2025-04-05CVE-2025-32365: Poppler before 25.04.0 allows crafted input files to trigger out-of-bounds reads in the JBIG2Bitmap::combine function in JBIG2Stream.cc because of a misplaced…
PriorityP427high7.1CVSS 3.1
AVLACLPRNUIRSUCHINAH
EPSS
0.22%
12.2th percentile
Poppler before 25.04.0 allows crafted input files to trigger out-of-bounds reads in the JBIG2Bitmap::combine function in JBIG2Stream.cc because of a misplaced isOk check.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | poppler | < poppler 22.12.0-2+deb12u1 (bookworm) | poppler 22.12.0-2+deb12u1 (bookworm) |
| freedesktop | poppler | < 25.04.0 | 25.04.0 |
| freedesktop | poppler | >= 0 < 20.09.0-3.1+deb11u2 | 20.09.0-3.1+deb11u2 |
| freedesktop | poppler | >= 0 < 22.12.0-2+deb12u1 | 22.12.0-2+deb12u1 |
| freedesktop | poppler | >= 0 < 25.03.0-3 | 25.03.0-3 |
| freedesktop | poppler | >= 0 < 25.03.0-3 | 25.03.0-3 |
CVSS provenance
nvdv3.17.1HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
osv7.1HIGH
vendor_debian4.0MEDIUM
vendor_redhat4.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r4rq-7765-p57x: Poppler before 25
ghsa_unreviewed·2025-04-07
CVE-2025-32365 [MEDIUM] CWE-125 GHSA-r4rq-7765-p57x: Poppler before 25
Poppler before 25.04.0 allows crafted input files to trigger out-of-bounds reads in the JBIG2Bitmap::combine function in JBIG2Stream.cc because of a misplaced isOk check.
OSV
CVE-2025-32365: Poppler before 25
osv·2025-04-05·CVSS 7.1
CVE-2025-32365 [HIGH] CVE-2025-32365: Poppler before 25
Poppler before 25.04.0 allows crafted input files to trigger out-of-bounds reads in the JBIG2Bitmap::combine function in JBIG2Stream.cc because of a misplaced isOk check.
Ubuntu
poppler vulnerabilities
vendor_ubuntu·2025-04-09
CVE-2025-32365 poppler vulnerabilities
Title: poppler vulnerabilities
Summary: poppler could be made to crash if it opened a specially crafted PDF file.
USN-7426-1 fixed several vulnerabilities in poppler. This update provides
the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
Original advisory details:
It was discovered that poppler incorrectly handled memory when opening
certain PDF files. An attacker could possibly use this issue to cause
poppler to crash, resulting in a denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
poppler vulnerabilities
vendor_ubuntu·2025-04-08
CVE-2025-32365 poppler vulnerabilities
Title: poppler vulnerabilities
Summary: poppler could be made to crash if it opened a specially crafted PDF file.
It was discovered that poppler incorrectly handled memory when opening
certain PDF files. An attacker could possibly use this issue to cause
poppler to crash, resulting in a denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
poppler: Out-of-Bounds Read in Poppler
vendor_redhat·2025-04-05·CVSS 4.0
CVE-2025-32365 [MEDIUM] CWE-125 poppler: Out-of-Bounds Read in Poppler
poppler: Out-of-Bounds Read in Poppler
Poppler before 25.04.0 allows crafted input files to trigger out-of-bounds reads in the JBIG2Bitmap::combine function in JBIG2Stream.cc because of a misplaced isOk check.
A flaw was found in Poppler. This vulnerability allows out-of-bounds reads via crafted input files that trigger the JBIG2Bitmap::combine function due to a misplaced isOk check.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Package: poppler (Red Hat Enterprise Linux 6) - Out of support scope
Package: compat-poppler022 (Red Hat Enterprise Linux 7) - Out of support scope
Package: popp
Debian
CVE-2025-32365: poppler - Poppler before 25.04.0 allows crafted input files to trigger out-of-bounds reads...
vendor_debian·2025·CVSS 4.0
CVE-2025-32365 [MEDIUM] CVE-2025-32365: poppler - Poppler before 25.04.0 allows crafted input files to trigger out-of-bounds reads...
Poppler before 25.04.0 allows crafted input files to trigger out-of-bounds reads in the JBIG2Bitmap::combine function in JBIG2Stream.cc because of a misplaced isOk check.
Scope: local
bookworm: resolved (fixed in 22.12.0-2+deb12u1)
bullseye: resolved (fixed in 20.09.0-3.1+deb11u2)
forky: resolved (fixed in 25.03.0-3)
sid: resolved (fixed in 25.03.0-3)
trixie: resolved (fixed in 25.03.0-3)
No detection rules found.
No public exploits indexed.
2025-04-05
Published