Cyber Resilience

CVE-2026-3308

High

Published: 31 March 2026

Published
31 March 2026
Modified
21 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0002 6.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3308 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 6.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-3308 is an integer overflow vulnerability (CWE-190) in the `pdf-image.c` file of Artifex's MuPDF version 1.27.0. The flaw resides in the `pdf_load_image_imp` function, where a maliciously crafted PDF can trigger an integer overflow, resulting in a heap out-of-bounds write that could enable arbitrary code execution. This affects the MuPDF library and any applications or viewers relying on it for PDF rendering.

The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). A local attacker with no privileges can exploit it by tricking a user into opening a specially crafted PDF file processed by the affected MuPDF component. Successful exploitation allows arbitrary code execution on the target system, compromising confidentiality, integrity, and availability with high impact.

Advisories recommend updating to a patched version of MuPDF via the fix in commit `a26f0142e7d390d4a82c6e5ae0e312e07cc4ec85`, available in the ArtifexSoftware/mupdf GitHub repository and Ghostscript cgit. The Debian LTS announcement details backported fixes for affected distributions, while the CERT vulnerability note (VU#951662) provides additional guidance on impacted versions and remediation.

EU & UK References

Vulnerability details

An integer overflow vulnerability in 'pdf-image.c' in Artifex's MuPDF version 1.27.0 allows an attacker to maliciously craft a PDF that can trigger an integer overflow within the 'pdf_load_image_imp' function. This allows a heap out-of-bounds write that could be exploited for…

more

arbitrary code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Integer overflow in PDF image parsing leads to heap OOB write and RCE when user opens malicious PDF (UI:R, local file). Directly enables T1203 (Exploitation for Client Execution) and maps to T1204.002 (User Execution: Malicious File) as the trigger mechanism.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-24875Shared CWE-190
CVE-2026-34644Shared CWE-190
CVE-2026-20884Shared CWE-190
CVE-2026-34640Shared CWE-190
CVE-2026-21321Shared CWE-190
CVE-2026-40250Shared CWE-190
CVE-2026-4775Shared CWE-190
CVE-2026-20889Shared CWE-190
CVE-2026-40962Shared CWE-190
CVE-2026-21353Shared CWE-190

Affected Assets

MuPDF
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of the integer overflow vulnerability in MuPDF by applying vendor patches to eliminate the heap out-of-bounds write.

prevent

Provides memory protections such as ASLR, DEP, and stack canaries that directly mitigate exploitation of heap out-of-bounds writes for arbitrary code execution.

prevent

Enforces input validation on PDF files to detect and reject malformed inputs that could trigger the integer overflow in pdf_load_image_imp.

References