CVE-2026-25556
Published: 06 February 2026
Summary
CVE-2026-25556 is a high-severity Double Free (CWE-415) vulnerability in Artifex Mupdf. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 6.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Double-free leads to heap corruption and process crash on crafted input (malicious barcode/PDF); directly enables T1499.004 Application or System Exploitation for DoS (matches CVSS A:H, no UI/PR, remote trigger).
NVD Description
MuPDF versions 1.23.0 through 1.27.0 contain a double-free vulnerability in fz_fill_pixmap_from_display_list() when an exception occurs during display list rendering. The function accepts a caller-owned fz_pixmap pointer but incorrectly drops the pixmap in its error handling path before rethrowing the exception.…
more
Callers (including the barcode decoding path in fz_decode_barcode_from_display_list) also drop the same pixmap in cleanup, resulting in a double-free that can corrupt the heap and crash the process. This issue affects applications that enable and use MuPDF barcode decoding and can be triggered by processing crafted input that causes a rendering-time error while decoding barcodes.
Deeper analysisAI
MuPDF versions 1.23.0 through 1.27.0 are affected by CVE-2026-25556, a double-free vulnerability (CWE-415) in the fz_fill_pixmap_from_display_list() function. The issue arises when an exception occurs during display list rendering, as the function accepts a caller-owned fz_pixmap pointer but incorrectly drops it in the error handling path before rethrowing the exception. Callers, such as the barcode decoding path in fz_decode_barcode_from_display_list(), also drop the same pixmap during cleanup, leading to heap corruption and process crashes. This vulnerability impacts applications that enable and use MuPDF's barcode decoding feature.
The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high availability impact with network accessibility, low attack complexity, and no privileges or user interaction required. Attackers can exploit it remotely by supplying crafted input, such as a malicious barcode, that triggers a rendering-time error during barcode decoding. Successful exploitation results in heap corruption and denial-of-service via process crash, affecting any vulnerable MuPDF-integrated application processing untrusted inputs.
Mitigation is available through a patch commit (d4743b6092d513321c23c6f7fe5cff87cde043c1) in the MuPDF Git repository, as documented in the Ghostscript bug tracker (bug 709029) and a Vulncheck advisory. Security practitioners should update to a patched MuPDF version beyond 1.27.0 and review applications using barcode decoding features for exposure to malicious PDF or image inputs. Additional details are available on the MuPDF website.
Details
- CWE(s)