PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-25556 Artifex Software CVE debrief

MuPDF versions 1.23.0 through 1.27.0 contain a double-free vulnerability in fz_fill_pixmap_from_display_list() when an exception occurs during display list rendering. This can lead to a double-free error when the caller also drops the same pixmap in cleanup, potentially corrupting the heap and crashing the process. Developers and users of MuPDF library, especially those who enable and use MuPDF barcode decoding, should be aware of this vulnerability and take necessary actions to mitigate the risk.

Vendor
Artifex Software
Product
MuPDF
CVSS
MEDIUM 5.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-06
Original CVE updated
2026-07-14
Advisory published
2026-02-06
Advisory updated
2026-07-14

Who should care

Developers and users of MuPDF library, especially those who enable and use MuPDF barcode decoding, should be aware of this vulnerability and take necessary actions to mitigate the risk. They should review official advisories, validate affected scope, and apply patches or updates from the vendor.

Technical summary

The vulnerability is caused by a double-free error in the fz_fill_pixmap_from_display_list() function. When an exception occurs during display list rendering, the function incorrectly drops the caller-owned fz_pixmap pointer in its error handling path before rethrowing the exception. Callers (including the barcode decoding path in fz_decode_barcode_from_display_list) also drop the same pixmap in cleanup, resulting in a double-free that can corrupt the heap and crash the process. This issue affects applications that enable and use MuPDF barcode decoding and can be triggered by processing crafted input that causes a rendering-time error while decoding barcodes.

Defensive priority

Medium

Recommended defensive actions

  • Update MuPDF to version 1.28.0 or later
  • Disable barcode decoding if not necessary
  • Validate and sanitize input data to prevent crafted input from triggering the vulnerability
  • Monitor for and apply patches or updates from the vendor
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-02-06T17:16:27.387Z and was last modified on 2026-07-14T16:16:53.830Z. The NVD entry is currently Analyzed. This vulnerability affects applications that enable and use MuPDF barcode decoding. The double-free error can corrupt the heap and crash the process. Developers should verify affected product deployments and review official advisories for mitigation guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-02-06T17:16:27.387Z and has not been modified since then. The NVD entry is currently Analyzed.