PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-8674 Artifex CVE debrief

CVE-2016-8674 is a medium-severity memory-safety flaw in MuPDF’s PDF parsing code. The issue is a use-after-free in pdf_to_num within pdf-object.c, and the documented impact is denial of service through an application crash when a crafted file is processed. NVD maps the issue to CWE-416 and rates it CVSS 5.5 with availability impact only. The safest remediation is to move off affected MuPDF releases and confirm that downstream packages include the upstream fix.

Vendor
Artifex
Product
CVE-2016-8674
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-15
Original CVE updated
2026-05-13
Advisory published
2017-02-15
Advisory updated
2026-05-13

Who should care

Teams that ship or embed MuPDF, distributors that package MuPDF-based tools, and product security owners for applications that open untrusted PDF content. This also matters for desktop, server, and document-processing workflows where a crash could interrupt service or workflows.

Technical summary

NVD describes CVE-2016-8674 as a use-after-free in pdf_to_num in MuPDF’s pdf-object.c. The vulnerable version range in the NVD CPE data extends through 1.9a, while the advisory text says the bug was fixed before 1.10. The reported outcome is a denial of service via application crash after processing a crafted file. NVD’s CVSS vector is CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, and the weakness is CWE-416 (Use After Free).

Defensive priority

Medium. The issue does not indicate confidentiality or integrity impact in the NVD record, but it can reliably crash applications that process untrusted input. Prioritize remediation if MuPDF is exposed to user-supplied files or embedded in higher-value workflows.

Recommended defensive actions

  • Upgrade MuPDF to 1.10 or later, or verify that your vendor package includes the upstream fix.
  • If you maintain a downstream build, backport the upstream patch referenced in the project’s commit and issue trackers.
  • Inventory all products that embed MuPDF or link against it, including third-party PDF viewing and conversion tools.
  • Treat untrusted PDF input as hostile and consider sandboxing or process isolation for parsers where feasible.
  • Confirm your operating system or distribution advisory has been applied for packaged MuPDF deployments.
  • Watch for crashes in PDF-processing paths on older builds; recurring crashes may indicate exposure to this flaw.

Evidence notes

The official NVD record and CVE record identify MuPDF as the affected product and describe the flaw as a use-after-free in pdf_to_num. The NVD record also lists vulnerable CPE coverage through 1.9a and classifies the weakness as CWE-416. Public reference material includes an upstream commit, a Debian security advisory, an oss-security mailing list post, a Gentoo blog write-up, and issue trackers that document the patch and related reporting. NVD published the CVE on 2017-02-15 and later modified the record on 2026-05-13; the public reference trail includes items from 2016 and 2017, showing earlier disclosure and remediation activity.

Official resources

Public references appeared in 2016, including an oss-security post on 2016-10-16 and a Gentoo write-up dated 2016-09-22. NVD published the CVE record on 2017-02-15 and later modified it on 2026-05-13.