CVE-2026-25556
Unknown Unknown - Not Provided
Double-Free Vulnerability in MuPDF Barcode Rendering Causes Crash

Publication date: 2026-02-06

Last updated on: 2026-02-24

Assigner: VulnCheck

Description
MuPDF versions 1.23.0 through 1.27.0 contain a double-free vulnerability in fz_fill_pixmap_from_display_list() when an exception occurs during display list rendering. The function accepts a caller-owned fz_pixmap pointer but incorrectly drops the pixmap in its error handling path before rethrowing the exception. Callers (including the barcode decoding path in fz_decode_barcode_from_display_list) also drop the same pixmap in cleanup, resulting in a double-free that can corrupt the heap and crash the process. This issue affects applications that enable and use MuPDF barcode decoding and can be triggered by processing crafted input that causes a rendering-time error while decoding barcodes.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-06
Last Modified
2026-02-24
Generated
2026-05-07
AI Q&A
2026-02-06
EPSS Evaluated
2026-05-05
NVD
CVE-2026-25556
EUVD
EUVD-2026-5668
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
artifex mupdf From 1.23.0 (inc) to 1.27.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-415 The product calls free() twice on the same memory address.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-25556 is a double-free vulnerability in MuPDF versions 1.23.0 through 1.27.0, specifically in the function fz_fill_pixmap_from_display_list(). This function accepts a caller-owned fz_pixmap pointer but incorrectly frees the pixmap during its error handling path if an exception occurs during display list rendering.

Because the caller, including the barcode decoding function fz_decode_barcode_from_display_list, also frees the same pixmap during cleanup, this results in a double-free condition. This double-free can corrupt the heap and cause the process to crash.

The vulnerability can be triggered by processing specially crafted input that causes a rendering-time error while decoding barcodes.


How can this vulnerability impact me? :

[{'type': 'paragraph', 'content': 'This vulnerability can lead to heap corruption and cause the affected application to crash, resulting in denial of service.'}, {'type': 'paragraph', 'content': "Since the issue occurs during barcode decoding, any application using MuPDF's barcode decoding feature and processing untrusted or crafted inputs could be impacted."}, {'type': 'paragraph', 'content': 'The CVSS score of 5.9 indicates a medium severity with a high impact on availability, meaning the vulnerability primarily affects the stability and availability of the application.'}] [2]


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

[{'type': 'paragraph', 'content': 'To mitigate this vulnerability, you should update MuPDF to a version later than 1.27.0 where the double-free issue in fz_fill_pixmap_from_display_list() has been fixed.'}, {'type': 'paragraph', 'content': "Additionally, if you use applications that enable MuPDF's barcode decoding feature, consider disabling barcode decoding until the update is applied to prevent triggering the vulnerability."}] [2]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart