CVE-2026-3308

High

Published: 31 March 2026

Published

31 March 2026

Modified

21 April 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0002 5.6th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3308 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 5.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of the integer overflow vulnerability in MuPDF by applying vendor patches to eliminate the heap out-of-bounds write.

SI-16 Memory Protection good match

prevent

Provides memory protections such as ASLR, DEP, and stack canaries that directly mitigate exploitation of heap out-of-bounds writes for arbitrary code execution.

SI-10 Information Input Validation partial match

prevent

Enforces input validation on PDF files to detect and reject malformed inputs that could trigger the integer overflow in pdf_load_image_imp.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

Why these techniques?

Integer overflow in PDF image parsing leads to heap OOB write and RCE when user opens malicious PDF (UI:R, local file). Directly enables T1203 (Exploitation for Client Execution) and maps to T1204.002 (User Execution: Malicious File) as the trigger mechanism.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An integer overflow vulnerability in 'pdf-image.c' in Artifex's MuPDF version 1.27.0 allows an attacker to maliciously craft a PDF that can trigger an integer overflow within the 'pdf_load_image_imp' function. This allows a heap out-of-bounds write that could be exploited for…

arbitrary code execution.

Deeper analysisAI

CVE-2026-3308 is an integer overflow vulnerability (CWE-190) in the `pdf-image.c` file of Artifex's MuPDF version 1.27.0. The flaw resides in the `pdf_load_image_imp` function, where a maliciously crafted PDF can trigger an integer overflow, resulting in a heap out-of-bounds write that could enable arbitrary code execution. This affects the MuPDF library and any applications or viewers relying on it for PDF rendering.

The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). A local attacker with no privileges can exploit it by tricking a user into opening a specially crafted PDF file processed by the affected MuPDF component. Successful exploitation allows arbitrary code execution on the target system, compromising confidentiality, integrity, and availability with high impact.

Advisories recommend updating to a patched version of MuPDF via the fix in commit `a26f0142e7d390d4a82c6e5ae0e312e07cc4ec85`, available in the ArtifexSoftware/mupdf GitHub repository and Ghostscript cgit. The Debian LTS announcement details backported fixes for affected distributions, while the CERT vulnerability note (VU#951662) provides additional guidance on impacted versions and remediation.