PatchSiren cyber security CVE debrief

CVE-2017-5991 Debian CVE debrief

CVE-2017-5991 is a high-severity denial-of-service issue in Artifex MuPDF. The vulnerable code path is in pdf_run_xobject within pdf-op-run.c, where a NULL pointer dereference can occur during a Fitz painting operation. NVD rates the issue 7.5/HIGH with no confidentiality or integrity impact and availability impact only. The CVE record says versions 1.11 and later are not affected.

Vendor: Debian
Product: CVE-2017-5991
CVSS: HIGH 7.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-15
Original CVE updated: 2026-05-13
Advisory published: 2017-02-15
Advisory updated: 2026-05-13

Who should care

Teams that ship, embed, or depend on MuPDF-based PDF rendering, especially where older MuPDF builds may still be present in desktops, servers, document pipelines, or downstream Linux packages. Debian environments should also review any packaged MuPDF dependency exposed through the affected CPEs listed by NVD.

Technical summary

The issue is a NULL pointer dereference in MuPDF's PDF execution/rendering path. The CVE description names pdf_run_xobject in pdf-op-run.c and ties the failure to a Fitz fz_paint_pixmap_with_mask painting operation. NVD maps the weakness to CWE-476 and lists affected Artifex MuPDF versions prior to 1.11, along with Debian Linux 8.0 and 9.0 CPEs. The published impact profile indicates network-reachable, low-complexity denial of service.

Defensive priority

High for any environment still running affected MuPDF builds or downstream packages that include them. Priority is lower if you have already confirmed MuPDF 1.11 or later, or if the vulnerable rendering path is not present in your deployment.

Recommended defensive actions

Inventory all applications, libraries, and packages that embed or depend on MuPDF.
Confirm the deployed MuPDF version; treat versions earlier than 1.11 as vulnerable unless vendor guidance says otherwise.
Apply the upstream fix boundary identified in the CVE record and update to a non-affected release.
Review Debian 8.0 and 9.0 systems and any vendor packages that may ship the affected MuPDF build.
Add regression testing around PDF rendering paths so malformed or edge-case documents do not crash the process.
Monitor for repeated rendering crashes or service restarts in PDF-processing workloads.

Evidence notes

The CVE description states that an issue was discovered in Artifex MuPDF before commit 1912de5f08e90af1d9d0a9791f58ba3afdb9d465, and that pdf_run_xobject in pdf-op-run.c encounters a NULL pointer dereference during a Fitz fz_paint_pixmap_with_mask painting operation. NVD classifies the weakness as CWE-476 and assigns CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The NVD record also lists Artifex MuPDF prior to 1.11 and Debian Linux 8.0/9.0 as vulnerable CPEs.

Official resources

CVE-2017-5991 CVE record
CVE.org
CVE-2017-5991 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Third Party Advisory
Source reference
[email protected] - Broken Link
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory, VDB Entry

Published by NVD on 2017-02-15. The CVE record later notes a modified timestamp of 2026-05-13, but that is not the vulnerability disclosure date.