PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-5896 Artifex CVE debrief

CVE-2017-5896 is a denial-of-service vulnerability in MuPDF’s image handling path. The official record describes a heap-based buffer overflow in fz_subsample_pixmap() that can lead to an out-of-bounds read and crash when a crafted image is processed. The vulnerability was publicly disclosed on 2017-02-15, with patch and advisory references available in the surrounding February 2017 timeline.

Vendor
Artifex
Product
CVE-2017-5896
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-15
Original CVE updated
2026-05-13
Advisory published
2017-02-15
Advisory updated
2026-05-13

Who should care

Organizations that use MuPDF to render or inspect untrusted PDFs or images should care, especially if the software is embedded in document viewers, content pipelines, scanners, or server-side processing workflows. Security teams responsible for desktop applications and services that accept user-supplied documents should prioritize review if they may still run MuPDF 1.10 or earlier.

Technical summary

NVD records CVE-2017-5896 as affecting cpe:2.3:a:artifex:mupdf versions through 1.10. The issue is described as a heap-based buffer overflow in fitz/pixmap.c within fz_subsample_pixmap(), resulting in an out-of-bounds read and crash from a crafted image. The NVD entry assigns CWE-125 and a CVSS v3.0 vector of AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. Source references include upstream patch discussion, issue tracking, and downstream advisories.

Defensive priority

Medium. The impact reported in the official record is denial of service rather than code execution or data disclosure, but the affected code processes attacker-controlled image content and can crash applications that parse untrusted files. Prioritize if MuPDF is used in exposed or high-volume document ingestion paths.

Recommended defensive actions

  • Inventory systems and applications that bundle or depend on MuPDF, including embedded viewers and document-processing services.
  • Confirm whether any deployed version is at or below MuPDF 1.10, which NVD marks as vulnerable.
  • Apply the vendor or downstream fixes referenced in the advisory and patch links.
  • Test with representative untrusted-image inputs after remediation to verify that rendering no longer crashes.
  • If immediate upgrading is not possible, reduce exposure by restricting untrusted document handling and isolating parsing workflows.
  • Monitor for service crashes or abnormal termination in components that rely on MuPDF image parsing.

Evidence notes

The debrief is based on the official CVE record and NVD entry supplied in the corpus. NVD lists the affected CPE as Artifex MuPDF through version 1.10 and identifies CWE-125. The source references include upstream patch discussion on openwall, an upstream issue tracker entry, and downstream advisories from Debian and Gentoo. The public record date is 2017-02-15; later modification metadata should not be treated as the original disclosure date.

Official resources

Publicly disclosed on 2017-02-15. Patch and advisory references in the supplied corpus date to early February 2017; use those only as timeline context, not as the CVE issue date.