CVE-2026-25556 — Double Free in Software Mupdf

CWE-415 — Double Free CWE-763 — Release of Invalid Pointer or Reference7 documents7 sources

Severity

5.9MEDIUMNVD

EPSS

0.0%

top 93.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Artifex Mupdf Artifex Software Mupdf

Timeline

PublishedFeb 6

Description

MuPDF versions 1.23.0 through 1.27.0 contain a double-free vulnerability in fz_fill_pixmap_from_display_list() when an exception occurs during display list rendering. The function accepts a caller-owned fz_pixmap pointer but incorrectly drops the pixmap in its error handling path before rethrowing the exception. Callers (including the barcode decoding path in fz_decode_barcode_from_display_list) also drop the same pixmap in cleanup, resulting in a double-free that can corrupt the heap and crash …

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages3 packages

▶Debianartifex/mupdf< 1.27.0+ds1-3

▶NVDartifex/mupdf1.23.0 — 1.27.0

▶CVEListV5artifex_software/mupdf1.23.0 — 1.27.0

Patches

Patch: cgit.ghostscript.com ↗

🔴Vulnerability Details

GHSA

GHSA-39p9-g2pq-q8r7: MuPDF versions 1↗2026-02-06

▶

OSV

CVE-2026-25556: MuPDF versions 1↗2026-02-06

▶

CVEList

MuPDF <= 1.27.0 Barcode Decoding Double Free↗2026-02-06

▶

📋Vendor Advisories

Red Hat

MuPDF: MuPDF: Denial of Service via crafted input during barcode decoding↗2026-02-06

▶

Debian

CVE-2026-25556: mupdf - MuPDF versions 1.23.0 through 1.27.0 contain a double-free vulnerability in fz_f...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-25556 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶