PatchSiren cyber security CVE debrief
CVE-2026-10118 Red Hat CVE debrief
A high-severity integer overflow vulnerability in Poppler's Splash backend allows remote attackers to achieve arbitrary code execution, information disclosure, or denial of service through maliciously crafted PDF files. The flaw resides in the `tilingPatternFill` function, where an integer overflow during rendering leads to an undersized heap allocation and subsequent out-of-bounds write. The vulnerability requires user interaction (opening a malicious PDF) and results in local attack vector execution with high impact to confidentiality, integrity, and availability. The vendor attribution to Poppler is derived from reference domain analysis with low confidence and requires review; the product name is not specified in available sources. No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA KEV.
- Vendor
- Red Hat
- Product
- Red Hat Enterprise Linux 10
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-01
- Original CVE updated
- 2026-06-01
- Advisory published
- 2026-06-01
- Advisory updated
- 2026-06-01
Who should care
Organizations using applications that render PDFs via Poppler's Splash backend, including document viewers, print servers, and automated PDF processing pipelines. Linux distributions and enterprises relying on Poppler-derived tools (Evince, Okular, pdftotext, etc.) should prioritize patching. Security teams in environments where untrusted PDF ingestion occurs should implement containment measures.
Technical summary
The vulnerability exists in Poppler's Splash rendering backend, specifically in the `tilingPatternFill` function. When processing a crafted PDF with tiling pattern fill operations, an integer overflow occurs during memory size calculations. This overflow causes an undersized heap memory allocation, and subsequent write operations exceed the allocated buffer boundary. The out-of-bounds write can corrupt heap metadata or adjacent structures, potentially leading to arbitrary code execution within the context of the PDF processing application. The attack requires social engineering or user action to open a malicious PDF document.
Defensive priority
HIGH
Recommended defensive actions
- Apply vendor-supplied patches for Poppler when available from distribution maintainers or upstream
- Configure PDF processing applications to use non-Splash backends (e.g., Cairo backend) where supported and feasible
- Implement sandboxing or isolation for PDF rendering processes to contain potential exploitation
- Restrict processing of untrusted PDF files in security-critical environments pending patch availability
- Monitor Poppler upstream and distribution security advisories for patch release notifications
Evidence notes
CVE description identifies Poppler Splash backend `tilingPatternFill` integer overflow leading to heap-based out-of-bounds write. CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H confirms local attack vector with user interaction required. CWE-190 (Integer Overflow or Wraparound) assigned by Red Hat. Vendor field shows 'Unknown Vendor' with low-confidence 'Redhat' domain candidate requiring review. No CPE criteria available. VulnStatus: Awaiting Analysis.
Official resources
2026-06-01T17:16:39.500Z