Overview
Artifex's MuPDF contains an integer overflow vulnerability, CVE-2026-3308, in versions up to and including 1.27.0. Using a specially crafted PDF, an attacker can trigger an integer overflow resulting in out-of-bounds heap writes. This heap corruption typically causes the application to crash, but in some cases could be exploited to enable arbitrary code execution.
Description
Artifex MuPDF is a lightweight framework for viewing and converting PDF, XPS, and e-book files. A vulnerability exists in pdf_load_image_imp, which is responsible for preparing image data for decoding.
The function processes image parameters including w (width), h (height), and bpc (bits per component), which are used to determine the amount of memory allocated during image decoding. The current implementation validates these parameters against SIZE_MAX rather than INT_MAX, but because stride calculations use integer-sized values, this check does not sufficiently protect against integer overflow when exceedingly large values are supplied.
When the overflow occurs, the resulting corrupted values are passed into the fz_unpack_stream function, which expands packed image samples into a destination buffer during image decoding. Because this too-small overflow value is used to calculate the size of the destination buffer, not enough memory is allocated for the actual size of the image. This causes fz_unpack_stream to write beyond the bounds of the allocated heap buffer, resulting in a heap out-of-bounds write.
Impact
Successful exploitation results in a heap out-of-bounds write during PDF image decoding. This condition may cause application crashes and memory corruption, or could potentially allow arbitrary code execution within the context of the application rendering the PDF. Since this vulnerability is triggered during standard PDF parsing operations, any system that automatically processes or renders untrusted PDF files using MuPDF may be affected.
Solution
Unfortunately, the vendor was unreachable to coordinate this vulnerability. Until a complete fix is available, users should avoid processing untrusted PDF files with affected MuPDF-based applications where possible. Applications that rely on MuPDF should isolate document rendering in a sandboxed or low-privilege process and disable automatic rendering or conversion of untrusted files if feasible. A Pull Request (PR) was with the fix is available at: https://github.com/ArtifexSoftware/mupdf/pull/87
Acknowledgements
Thanks toYarden Porat from Cyata for reporting this vulnerability. This document was written by Michael Bragg.
CVE-2026-3308 An integer overflow vulnerability in 'pdf-image.c' in Artifex's MuPDF version 1.27.0 allows an attacker to maliciously craft a PDF that can trigger an integer overflow within the 'pdf_load_image_imp' function. This allows a heap out-of-bounds write that could be exploited for arbitrary code execution.
Vendor Information
Other Information
| CVE IDs: | CVE-2026-3308 |
| API URL: | VINCE JSON | CSAF |
| Date Public: | 2026-04-02 |
| Date First Published: | 2026-04-02 |
| Date Last Updated: | 2026-04-02 17:23 UTC |
| Document Revision: | 1 |