Cyber Resilience

CVE-2026-25556

MediumPublic PoC

Published: 06 February 2026

Published
06 February 2026
Modified
24 February 2026
KEV Added
Patch
CVSS Score v4 5.9 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0003 8.4th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25556 is a medium-severity Double Free (CWE-415) vulnerability in Artifex Mupdf. Its CVSS base score is 5.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 8.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

MuPDF versions 1.23.0 through 1.27.0 are affected by CVE-2026-25556, a double-free vulnerability (CWE-415) in the fz_fill_pixmap_from_display_list() function. The issue arises when an exception occurs during display list rendering, as the function accepts a caller-owned fz_pixmap pointer but incorrectly drops it in the error handling path before rethrowing the exception. Callers, such as the barcode decoding path in fz_decode_barcode_from_display_list(), also drop the same pixmap during cleanup, leading to heap corruption and process crashes. This vulnerability impacts applications that enable and use MuPDF's barcode decoding feature.

The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high availability impact with network accessibility, low attack complexity, and no privileges or user interaction required. Attackers can exploit it remotely by supplying crafted input, such as a malicious barcode, that triggers a rendering-time error during barcode decoding. Successful exploitation results in heap corruption and denial-of-service via process crash, affecting any vulnerable MuPDF-integrated application processing untrusted inputs.

Mitigation is available through a patch commit (d4743b6092d513321c23c6f7fe5cff87cde043c1) in the MuPDF Git repository, as documented in the Ghostscript bug tracker (bug 709029) and a Vulncheck advisory. Security practitioners should update to a patched MuPDF version beyond 1.27.0 and review applications using barcode decoding features for exposure to malicious PDF or image inputs. Additional details are available on the MuPDF website.

EU & UK References

Vulnerability details

MuPDF versions 1.23.0 through 1.27.0 contain a double-free vulnerability in fz_fill_pixmap_from_display_list() when an exception occurs during display list rendering. The function accepts a caller-owned fz_pixmap pointer but incorrectly drops the pixmap in its error handling path before rethrowing the exception.…

more

Callers (including the barcode decoding path in fz_decode_barcode_from_display_list) also drop the same pixmap in cleanup, resulting in a double-free that can corrupt the heap and crash the process. This issue affects applications that enable and use MuPDF barcode decoding and can be triggered by processing crafted input that causes a rendering-time error while decoding barcodes.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Double-free leads to heap corruption and process crash on crafted input (malicious barcode/PDF); directly enables T1499.004 Application or System Exploitation for DoS (matches CVSS A:H, no UI/PR, remote trigger).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-39564Shared CWE-415
CVE-2025-69650Shared CWE-415
CVE-2026-21918Shared CWE-415
CVE-2025-27836Same vendor: Artifex
CVE-2025-27831Same vendor: Artifex
CVE-2025-27834Same vendor: Artifex
CVE-2026-5657Shared CWE-415
CVE-2022-49686Shared CWE-415
CVE-2025-27833Same vendor: Artifex
CVE-2026-23449Shared CWE-415

Affected Assets

artifex
mupdf
1.23.0 — 1.27.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely patching of the double-free vulnerability in MuPDF versions 1.23.0 through 1.27.0 to eliminate the root cause.

prevent

Implements memory protection mechanisms such as ASLR and DEP to mitigate heap corruption from the double-free during display list rendering.

prevent

Requires secure error handling to prevent improper pixmap cleanup in exception paths that lead to double-free in barcode decoding.

References