cbcvebase.
CVE-2025-52886
published 2025-07-02

CVE-2025-52886: Poppler is a PDF rendering library. Versions prior to 25.06.0 use `std::atomic_int` for reference counting. Because `std::atomic_int` is only 32 bits, it is…

PriorityP429medium5.9CVSS 3.1
AVNACHPRNUINSUCNINAH
EPSS
0.37%
28.9th percentile
Poppler is a PDF rendering library. Versions prior to 25.06.0 use `std::atomic_int` for reference counting. Because `std::atomic_int` is only 32 bits, it is possible to overflow the reference count and trigger a use-after-free. Version 25.06.0 patches the issue.

Affected

8 ranges
VendorProductVersion rangeFixed in
debianpoppler< poppler 25.03.0-5 (forky)poppler 25.03.0-5 (forky)
freedesktoppoppler< 25.06.025.06.0
freedesktoppoppler>= 0 < 25.03.0-525.03.0-5
freedesktoppoppler>= 0 < 25.03.0-525.03.0-5
freedesktoppoppler>= 0 < 0.41.0-0ubuntu1.16+esm70.41.0-0ubuntu1.16+esm7
freedesktoppoppler>= 0 < 0.62.0-2ubuntu2.14+esm70.62.0-2ubuntu2.14+esm7
freedesktoppoppler>= 0 < 0.86.1-0ubuntu1.7+esm10.86.1-0ubuntu1.7+esm1
popplerpoppler< 25.06.025.06.0

CVSS provenance

nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv4.05.5MEDIUMCVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv6.5MEDIUM
vendor_ubuntu6.5MEDIUM
vendor_debian5.5MEDIUM
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.