Out-of-Bounds Read Vulnerability in Artifex MuPDF CFF Index Handler
CVE-2026-7233

4.8MEDIUM

Key Information:

Vendor

Artifex
Status
MuPDF
Vendor
CVE Published:
28 April 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2026-7233?

A vulnerability exists in Artifex MuPDF versions up to 1.28.0 due to improper management of the fz_subset_cff_for_gids function in the subset-cff.c file. This flaw leads to potential out-of-bounds read conditions, enabling an attacker to exploit it locally. Although the problem has been acknowledged through a bug report, the vendor has yet to address the issue publicly. Given the nature of the exploit, it raises significant concerns for users reliant on this software for document processing.

Affected Version(s)

MuPDF 1.0

MuPDF 1.1

MuPDF 1.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-7233 - Proof of Concept

References

https://vuldb.com/vuln/359840
vdb-entrytechnical-description
https://vuldb.com/vuln/359840/cti
signaturepermissions-required
https://vuldb.com/submit/802590
third-party-advisory

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

biniam (VulDB User)
VulDB CNA Team
.