CVE-2026-10118

high

Published 2026-06-01 · Modified 2026-06-03

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4 NEW

—

not yet in upstream

VIR risk

7.8

Description

A flaw was found in Poppler's Splash backend. A remote attacker could exploit this vulnerability by crafting a malicious PDF file that, when rendered, triggers an integer overflow in the `tilingPatternFill` function. This overflow leads to an undersized heap memory allocation, allowing a subsequent out-of-bounds write. Successful exploitation could result in arbitrary code execution, information disclosure, or denial of service within the context of the application processing the PDF.

Predictions

Exploit likelihood

75%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker · View original ↗ · DFSG

CVE-2026-10118 NameCVE-2026-10118 DescriptionA flaw was found in Poppler's Splash backend. A remote attacker could exploit this vulnerability by crafting a malicious PDF file that, when rendered, triggers an integer overflow in the `tilingPatternFill` function. This overflow leads to an undersized heap memory allocation, allowing a subsequent out-of-bounds write. Successful exploitation could…

CVE-2026-10118

Name	CVE-2026-10118
Description	A flaw was found in Poppler's Splash backend. A remote attacker could exploit this vulnerability by crafting a malicious PDF file that, when rendered, triggers an integer overflow in the `tilingPatternFill` function. This overflow leads to an undersized heap memory allocation, allowing a subsequent out-of-bounds write. Successful exploitation could result in arbitrary code execution, information disclosure, or denial of service within the context of the application processing the PDF.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
poppler (PTS)	bullseye	20.09.0-3.1+deb11u1	vulnerable
	bullseye (security)	20.09.0-3.1+deb11u2	vulnerable
	bookworm	22.12.0-2+deb12u1	vulnerable
	trixie	25.03.0-5+deb13u2	vulnerable
	forky	25.03.0-11.1	vulnerable
	sid	26.01.0-4	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
poppler	source	(unstable)	(unfixed)

Notes

https://gitlab.freedesktop.org/poppler/poppler/-/work_items/1715
https://gitlab.freedesktop.org/poppler/poppler/-/commit/8352264766652b98336e92359a70b3161a9ab97a

Home - Debian Security - Source (Git)

Apply commands

text fix

Notes

https://gitlab.freedesktop.org/poppler/poppler/-/work_items/1715https://gitlab.freedesktop.org/poppler/poppler/-/commit/8352264766652b98336e92359a70b3161a9ab97a

OS impact

Debian Mixed 5 releases

Version	Status	Fixed in
trixie	Affected	—
sid	Fixed	`26.01.0-4.1`
forky	Affected	—
bullseye	Affected	—
bookworm	Affected	—

References

CWEs

CWE-190

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.