Login Sign Up

CVE-2026-25556

7.5 HIGH
Denial of Service

📋 TL;DR

MuPDF versions 1.23.0 through 1.27.0 contain a double-free vulnerability in the barcode decoding functionality. When processing specially crafted input that triggers a rendering error, the heap can become corrupted, leading to application crashes. This affects any application using MuPDF's barcode decoding feature with vulnerable versions.

💻 Affected Systems

Products:
  • MuPDF
Versions: 1.23.0 through 1.27.0
Operating Systems: All platforms running MuPDF
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when barcode decoding feature is enabled and used. Many applications may not use this feature by default.

📦 What is this software?

Mupdf by Artifex

View all CVEs affecting Mupdf →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Heap corruption could potentially lead to remote code execution if an attacker can control memory layout and exploit the corruption.

🟠

Likely Case

Application crash (denial of service) when processing malicious PDF files containing crafted barcodes.

🟢

If Mitigated

No impact if barcode decoding is disabled or if vulnerable versions aren't used.

🌐 Internet-Facing: MEDIUM - Applications processing user-uploaded PDFs with barcode decoding enabled are vulnerable to crashes.
🏢 Internal Only: LOW - Internal document processing systems are less likely to encounter malicious input.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires crafting a PDF that triggers a rendering error during barcode decoding. No public exploit code has been observed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit d4743b6092d513321c23c6f7fe5cff87cde043c1 and later versions

Vendor Advisory: https://bugs.ghostscript.com/show_bug.cgi?id=709029

Restart Required: Yes

Instructions:

1. Update MuPDF to version after commit d4743b6092d513321c23c6f7fe5cff87cde043c1. 2. Rebuild any applications using MuPDF. 3. Restart affected services.

🔧 Temporary Workarounds

Disable barcode decoding

all

Disable MuPDF's barcode decoding feature to prevent triggering the vulnerability

Configure application to not use fz_decode_barcode_from_display_list() or disable barcode support

🧯 If You Can't Patch

  • Disable barcode decoding functionality in all applications using MuPDF
  • Implement strict input validation and sandboxing for PDF processing

🔍 How to Verify

Check if Vulnerable:

Check MuPDF version and verify if barcode decoding is enabled in your application configuration

Check Version:

mupdf --version or check library version in application

Verify Fix Applied:

Verify MuPDF version is after commit d4743b6092d513321c23c6f7fe5cff87cde043c1 and test barcode decoding with known problematic files

📡 Detection & Monitoring

Log Indicators:

  • Application crashes when processing PDF files
  • Error messages related to fz_fill_pixmap_from_display_list or barcode decoding

Network Indicators:

  • Unusual PDF uploads to document processing services

SIEM Query:

search 'MuPDF crash' OR 'barcode decoding error' in application logs

📊 Metadata

CVE ID: CVE-2026-25556
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-415
EPSS Score: 0.06% exploit probability (17.3th percentile)
Published: February 6, 2026
Last Updated: February 24, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25556, you might also want to check these:

CVE-2020-35885 9.8

This vulnerability in the alpm-rs Rust crate allows double-free memory corruption due to improper de...

Same vulnerability type (CWE-415)
CVE-2021-29940 9.8

This vulnerability in the Rust 'through' crate allows double-free memory corruption when the map fun...

Same vulnerability type (CWE-415)
CVE-2023-49937 9.8

This CVE describes a double-free vulnerability in SchedMD Slurm workload manager that allows attacke...

Same vulnerability type (CWE-415)