Double-Free Vulnerability in MuPDF Barcode Decoding by Artifex Software
CVE-2026-25556

5.9MEDIUM

Key Information:

Vendor

Artifex Software

Status
MuPDF
Vendor
CVE Published:
6 February 2026

What is CVE-2026-25556?

MuPDF versions 1.23.0 through 1.27.0 contain a double-free vulnerability during the barcode decoding process. This vulnerability arises when an exception occurs in the fz_fill_pixmap_from_display_list() function, which wrongly drops a caller-owned fz_pixmap pointer in its error handling pathway before rethrowing the exception. As a result, the same pixmap can be inadvertently released twice: first in the error handling and again during cleanup processes, leading to heap corruption and potential crashes. This issue primarily impacts applications leveraging MuPDF for decoding barcodes, especially when handling specially crafted input that triggers display list rendering errors.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

MuPDF 1.23.0 <= 1.27.0

References

https://bugs.ghostscript.com/show_bug.cgi?id=709029
issue-tracking
https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/c...
patch
https://mupdf.com/
product

CVSS V4

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Pavel Kohout, Aisle Research (www.aisle.com)
JSON
.