Use After Free Vulnerability in MuPDF Library by Artifex Software
CVE-2020-16600

7.8HIGH

Key Information:

Vendor: Artifex
Status: MuPDF
Vendor: CVE Published:; 9 December 2020

What is CVE-2020-16600?

A vulnerability in the MuPDF library causes a Use After Free condition when processing a series of pages with varying pixmap dimensions. Specifically, when a valid page is followed by a page that presents invalid dimensions, the variable 'bander' erroneously points to a previously freed memory block. This can lead to potential exploitation through the manipulation of input files that trigger this flaw, allowing attackers to execute arbitrary code or lead to application instability.

References

https://bugs.ghostscript.com/show_bug.cgi?id=702253

x_refsource_MISC

http://git.ghostscript.com/?p=mupdf.git%3Bh=96751b25462f8...

x_refsource_MISC

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 9, 2020
Vulnerability Reserved
Aug 3, 2020