PatchSiren cyber security CVE debrief

CVE-2026-40505 Artifex Software Inc. CVE debrief

CVE-2026-40505 is a medium-severity ANSI injection vulnerability in Artifex MuPDF versions prior to 1.27. The issue exists in the `mutool` command-line utility, specifically when processing PDF metadata fields. Attackers can craft PDF documents containing malicious ANSI escape sequences in metadata fields; when a victim runs `mutool info` on such a document, these sequences are passed unsanitized to terminal output. This enables terminal display manipulation attacks, including fake prompts and spoofed commands, facilitating social engineering. The vulnerability was published on 2026-04-16 and last modified on 2026-05-26. No known exploitation in ransomware campaigns has been reported. The fix is available in MuPDF 1.27.0.

Vendor: Artifex Software Inc.
Product: MuPDF
CVSS: MEDIUM 4.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-04-16
Original CVE updated: 2026-05-26
Advisory published: 2026-04-16
Advisory updated: 2026-05-26

Who should care

Security teams managing document processing pipelines, developers using MuPDF in automated workflows, system administrators allowing PDF analysis on shared systems, and organizations with users who regularly inspect PDF metadata using command-line tools. The social engineering angle makes this relevant for security awareness programs focusing on terminal-based deception attacks.

Technical summary

The vulnerability stems from insufficient output sanitization in MuPDF's `mutool info` command. PDF metadata fields (Title, Author, Subject, Keywords, Creator, Producer) can contain arbitrary byte sequences including ANSI escape codes (ESC [ ...). When `mutool info` displays these fields to a terminal without filtering, the escape sequences are interpreted by the terminal emulator, allowing attackers to: clear screens, move cursors, change colors, hide text, or inject fake shell prompts. The attack requires local access to execute `mutool info` on a malicious PDF and user interaction to view the output. CVSS 4.0 score of 4.8 reflects local attack vector, low attack complexity, and user interaction requirement with low integrity impact.

Defensive priority

medium

Recommended defensive actions

Upgrade MuPDF to version 1.27.0 or later to eliminate the vulnerability
If immediate patching is not feasible, avoid running `mutool info` on untrusted PDF documents
Consider using terminal emulators with ANSI escape sequence filtering when processing unknown PDFs
Implement security awareness training regarding terminal-based social engineering techniques
Monitor for suspicious PDF files with unusual metadata content in email and web downloads

Evidence notes

Vulnerability confirmed through official NVD entry with CVSS 4.0 vector. Patch commit 0f17d789fe8c29b41e47663be82514aaca3a4dfb identified in both Ghostscript CGit and GitHub repositories. Third-party advisory from VulnCheck provides additional technical context. CPE criteria confirms affected versions are all releases prior to 1.27.0.

Official resources

CVE-2026-40505 CVE record
CVE.org
CVE-2026-40505 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch
Mitigation or vendor reference
[email protected] - Patch
Source reference
[email protected] - Product
Mitigation or vendor reference
[email protected] - Third Party Advisory

2026-04-16