CVE-2026-40505
ANSI Escape Injection in MuPDF mutool Metadata Enables Terminal Spoofing
Publication date: 2026-04-16
Last updated on: 2026-04-17
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| artifex | mupdf | to 0f17d78 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-150 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to manipulate your terminal display when you run mutool info on a crafted PDF.
Specifically, attackers can clear your terminal screen and display arbitrary text, potentially tricking you into executing malicious commands or revealing sensitive information through social engineering.
The impact is limited to integrity issues due to terminal manipulation, with no direct impact on confidentiality or availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by examining PDF files for malicious ANSI escape sequences embedded in their metadata fields. Running the vulnerable mutool info command on a crafted PDF file will trigger the ANSI escape sequences if present.
A practical detection method is to run the following command on suspect PDF files:
- mutool info <filename.pdf>
If the terminal display is unexpectedly cleared or arbitrary text appears, this indicates the presence of malicious ANSI escape sequences in the PDF metadata, confirming the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update MuPDF to a version that includes the patch addressing this issue (post commit 0f17d78).
Until the update is applied, avoid running mutool info on untrusted or suspicious PDF files to prevent execution of malicious ANSI escape sequences.
Additionally, consider running mutool in an environment that does not interpret ANSI escape sequences or redirecting output to a file rather than the terminal.
Can you explain this vulnerability to me?
CVE-2026-40505 is a vulnerability in MuPDF's mutool where PDF metadata fields are not sanitized before being output to the terminal.
Attackers can embed malicious ANSI escape sequences in crafted PDF metadata. When the mutool info command is run on such a PDF, these escape codes are executed in the terminal.
This allows attackers to manipulate the terminal display by clearing it and rendering arbitrary text, which can be used for social engineering attacks such as showing fake prompts or spoofed commands.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows attackers to inject arbitrary ANSI escape sequences into terminal output via unsanitized PDF metadata, enabling social engineering attacks such as fake prompts or spoofed commands.
However, the vulnerability does not impact confidentiality or availability, and only causes limited integrity issues through terminal manipulation.
There is no direct information indicating that this vulnerability affects compliance with common standards and regulations like GDPR or HIPAA.