HIGH 7.8

CVE-2026-10118: Integer Overflow in Poppler Splash Backend Leading to Code Execution

Poppler, a widely-used PDF rendering library, contains a vulnerability in its Splash graphics backend that allows attackers to execute arbitrary code or crash applications by delivering specially crafted PDF files. The flaw stems from an integer overflow in the tiling pattern fill function—a feature used to render repeating graphical patterns in PDFs. When an attacker-controlled integer value overflows during this calculation, it causes the library to allocate insufficient heap memory. This undersized buffer is then written to beyond its boundaries, corrupting adjacent memory and potentially enabling code execution.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-190
Affected products
0 configuration(s)
Published / Modified
2026-06-01 / 2026-06-30

NVD description (verbatim)

A flaw was found in Poppler's Splash backend. A remote attacker could exploit this vulnerability by crafting a malicious PDF file that, when rendered, triggers an integer overflow in the `tilingPatternFill` function. This overflow leads to an undersized heap memory allocation, allowing a subsequent out-of-bounds write. Successful exploitation could result in arbitrary code execution, information disclosure, or denial of service within the context of the application processing the PDF.

40 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability (CWE-190: Integer Overflow or Wraparound) resides in Poppler's `tilingPatternFill` function within the Splash rendering backend. An attacker crafts a PDF file with malicious tiling pattern parameters that, when processed, cause an integer arithmetic operation to wrap around to an unexpectedly small value. This truncated result is used to allocate heap memory, creating a classic integer-overflow-to-heap-overflow chain. The subsequent out-of-bounds write corrupts heap metadata or adjacent objects, enabling exploitation for arbitrary code execution (ACE), information disclosure via heap memory leakage, or denial of service via crash. The vulnerability is reachable when a user or application processes the malicious PDF, making user interaction (opening the file) the sole prerequisite.

Business impact

Organizations and users relying on Poppler-based PDF viewers, document processors, or server-side PDF rendering services face immediate risk of compromise. An attacker can deliver a trojanized PDF via email, web download, or document collaboration platforms and silently gain code execution within the security context of the rendering process. In enterprise environments, compromised systems could serve as initial footholds for lateral movement, data exfiltration, or ransomware deployment. For companies providing PDF-as-a-service or embedded PDF rendering, this vulnerability could allow attackers to pivot into customer environments or abuse the service for malware distribution.

Affected systems

Any system running Poppler for PDF rendering is potentially affected, including but not limited to desktop PDF viewers (Evince, Okular, MuPDF when built against Poppler), server-side rendering engines (used in web applications and document conversion services), and embedded implementations in other software. The vulnerability does not depend on specific Poppler versions in this disclosure, so all versions prior to a confirmed patch require evaluation. Applications that do not directly link Poppler but embed or fork its code may also be at risk; verify your software bill of materials (SBOM) and vendor advisories.

Exploitability

Exploitation requires only local file access and user interaction—specifically, opening or rendering a malicious PDF. The CVSS vector (AV:L/AC:L/PR:N/UI:R) reflects this: the attack is local, conditions are not complex, no privileges are needed beforehand, and user action (opening the PDF) is mandatory. The barrier to exploitation is low; an attacker needs basic PDF authoring knowledge to craft the malicious file, and the payload can be distributed through common channels (email, web, cloud storage). There is no known public exploit code associated with this CVE as of the publication date, but the vulnerability is sufficiently documented that capable threat actors could weaponize it. Given the ubiquity of PDF handling in business workflows, real-world exploitation is plausible once tooling matures.

Remediation

Patch all Poppler installations to a version that addresses this integer overflow, as specified in your vendor's security advisory. If Poppler is embedded in your application, coordinate with your software vendor or rebuild from a patched upstream source. Organizations unable to patch immediately should restrict user access to PDF opening from untrusted sources, disable or isolate Poppler-based rendering services where feasible, and implement additional email and web filtering to block suspicious PDFs. Consider switching to alternative PDF rendering backends if available and compatible with your infrastructure.

Patch guidance

Consult your Poppler vendor (e.g., your Linux distribution, application vendor, or upstream Poppler project) for the specific patched version that remediates CVE-2026-10118. Test patches in a staging environment before production rollout to ensure compatibility. If Poppler is vendored within your own application, rebuild and test with the patched library version. Monitor vendor advisories closely, as patch availability and timelines may vary across distributions. Verify against the official vendor advisory that the update you deploy actually closes the integer overflow in `tilingPatternFill`.

Detection guidance

Monitor PDF file submissions and processing for anomalies: unusual pattern parameters, oversized or malformed tiling dictionaries, or processing crashes tied to PDF rendering. If you have access to Poppler logs or application crash dumps, examine them for stack traces involving `tilingPatternFill` or memory allocation failures. Network-based detection is limited; focus on host-based signals such as process behavior anomalies (spawned child processes, unexpected network connections) following PDF opening. Endpoint detection and response (EDR) tools should flag crashes or exceptions within PDF rendering processes as potential exploitation attempts. Consider fuzzing your PDF processing pipeline with malformed tiling patterns to validate your patch effectiveness.

Why prioritize this

This vulnerability merits urgent prioritization due to its high CVSS score (7.8), the combination of confidentiality, integrity, and availability impact (C:H/I:H/A:H), and the ubiquity of Poppler in end-user and server environments. The local attack vector and requirement for user interaction are typical for PDF exploits, yet the barrier to delivery is low. Organizations handling sensitive documents or exposed to advanced threat actors should prioritize patching within days, not weeks. Even organizations in lower-threat postures should target completion within 30 days to minimize the window for opportunistic exploitation.

Risk score, explained

The CVSS 3.1 score of 7.8 (HIGH) reflects a flaw that allows code execution, information disclosure, and denial of service with only user interaction as a prerequisite. The local attack vector prevents remote exploitation over the network, limiting exposure in some environments (e.g., air-gapped systems), but the low complexity, zero privilege requirement, and broad attack surface (any PDF rendering) sustain a high threat level. The absence of scope change (S:U) indicates the impact is contained to the process itself, not system-wide, though privilege escalation from the rendering context may amplify real-world impact depending on deployment architecture.

Frequently asked questions

Which Poppler versions are vulnerable?

The source data provided does not specify a version range. Consult your vendor's security advisory or the official Poppler project disclosure to determine affected versions. If you are running an unpatched version of Poppler, assume it is vulnerable until confirmed otherwise by your vendor.

Can this vulnerability be exploited remotely over the network?

No. The CVSS vector indicates a local attack vector (AV:L), meaning an attacker must place the malicious PDF where the user will open it—typically via email attachment, file sharing service, or web download. Remote code execution on a system is not possible through network protocols alone; user interaction is mandatory.

What happens if I open a malicious PDF with this flaw?

The outcome depends on how the application is deployed and what context it runs in. In the best case, the heap corruption triggers a crash, causing a denial of service. In worse cases, an attacker could execute arbitrary code within the rendering process's security context, potentially stealing data or using the compromised process as a stepping stone for lateral movement. Sandboxing or running the PDF viewer with minimal privileges reduces risk.

Is there a workaround if I cannot patch immediately?

Yes, several mitigations can reduce exposure: disable automatic PDF opening, avoid opening PDFs from untrusted sources, use email or web gateway filtering to block suspicious attachments, isolate PDF rendering to a sandboxed or virtual environment, and switch to alternative PDF viewers if feasible. However, these are temporary measures; patching Poppler remains the definitive remediation.

This analysis is based on publicly available information current as of June 2026. Vendor advisories, patch availability, and exploitation status may evolve. Organizations should verify all patch versions and remediation steps against official vendor guidance before deployment. SEC.co does not provide exploit code, proof-of-concept development assistance, or weaponization support. This assessment is for defensive purposes only. Always test security updates in controlled environments before production rollout. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).