PatchSiren cyber security CVE debrief
CVE-2026-25556 Artifex Software CVE debrief
MuPDF versions 1.23.0 through 1.27.0 contain a double-free vulnerability in fz_fill_pixmap_from_display_list() when an exception occurs during display list rendering. This can lead to a double-free error when the caller also drops the same pixmap in cleanup, potentially corrupting the heap and crashing the process. Developers and users of MuPDF library, especially those who enable and use MuPDF barcode decoding, should be aware of this vulnerability and take necessary actions to mitigate the risk.
- Vendor
- Artifex Software
- Product
- MuPDF
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-06
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-02-06
- Advisory updated
- 2026-07-14
Who should care
Developers and users of MuPDF library, especially those who enable and use MuPDF barcode decoding, should be aware of this vulnerability and take necessary actions to mitigate the risk. They should review official advisories, validate affected scope, and apply patches or updates from the vendor.
Technical summary
The vulnerability is caused by a double-free error in the fz_fill_pixmap_from_display_list() function. When an exception occurs during display list rendering, the function incorrectly drops the caller-owned fz_pixmap pointer in its error handling path before rethrowing the exception. Callers (including the barcode decoding path in fz_decode_barcode_from_display_list) also drop the same pixmap in cleanup, resulting in a double-free that can corrupt the heap and crash the process. This issue affects applications that enable and use MuPDF barcode decoding and can be triggered by processing crafted input that causes a rendering-time error while decoding barcodes.
Defensive priority
Medium
Recommended defensive actions
- Update MuPDF to version 1.28.0 or later
- Disable barcode decoding if not necessary
- Validate and sanitize input data to prevent crafted input from triggering the vulnerability
- Monitor for and apply patches or updates from the vendor
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-02-06T17:16:27.387Z and was last modified on 2026-07-14T16:16:53.830Z. The NVD entry is currently Analyzed. This vulnerability affects applications that enable and use MuPDF barcode decoding. The double-free error can corrupt the heap and crash the process. Developers should verify affected product deployments and review official advisories for mitigation guidance.
Official resources
-
CVE-2026-25556 CVE record
CVE.org
-
CVE-2026-25556 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
[email protected] - Exploit, Issue Tracking
-
Mitigation or vendor reference
[email protected] - Patch
-
Source reference
[email protected] - Product
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-02-06T17:16:27.387Z and has not been modified since then. The NVD entry is currently Analyzed.