CVE-2026-25556 is a double-free vulnerability identified in Artifex Software's MuPDF library versions 1.23.0 through 1.27.0. The vulnerability resides in the function fz_fill_pixmap_from_display_list(), which is responsible for rendering display lists into pixmaps. When an exception occurs during rendering, this function erroneously frees a caller-owned fz_pixmap pointer in its error handling path before rethrowing the exception. Subsequently, the caller, including the barcode decoding path (fz_decode_barcode_from_display_list), also frees the same pixmap during cleanup. This results in a double-free condition that corrupts the heap, potentially leading to process crashes or undefined behavior. The vulnerability specifically affects applications that enable and use MuPDF's barcode decoding functionality. Exploitation requires processing crafted input that triggers a rendering-time error during barcode decoding, and user interaction is necessary to initiate the process. The CVSS 4.0 base score is 5.9 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, but requiring user interaction and causing high impact on availability. No known exploits have been reported in the wild as of the publication date. The flaw primarily threatens application stability and availability rather than confidentiality or integrity. The vulnerability highlights the importance of proper memory management in error handling paths within complex rendering libraries like MuPDF.

For European organizations, the primary impact of CVE-2026-25556 is the potential for denial-of-service conditions due to application crashes caused by heap corruption from the double-free vulnerability. Organizations relying on MuPDF for document rendering and barcode decoding—common in sectors such as logistics, healthcare, finance, and government—may experience service disruptions or application instability. This could affect automated document processing workflows, barcode scanning systems, and digital archiving solutions. While the vulnerability does not directly expose sensitive data or allow code execution, the resulting crashes could interrupt critical business operations and degrade user trust. Additionally, if attackers combine this vulnerability with other flaws, there may be an increased risk of more severe exploitation. The requirement for user interaction and crafted input somewhat limits remote exploitation, but phishing or malicious document delivery remain plausible attack vectors. European entities with compliance obligations around service availability and operational resilience should consider this vulnerability a significant operational risk.

1. Update MuPDF to a patched version beyond 1.27.0 once available from Artifex Software to eliminate the double-free condition. 2. Temporarily disable barcode decoding features in MuPDF if they are not essential to reduce the attack surface. 3. Implement input validation and sanitization on documents and barcode data before processing with MuPDF to prevent crafted inputs from triggering rendering errors. 4. Employ memory protection mechanisms such as heap canaries, AddressSanitizer, or Control Flow Integrity (CFI) in applications embedding MuPDF to detect and mitigate heap corruption. 5. Monitor application logs for crashes or exceptions related to MuPDF rendering and investigate suspicious document inputs. 6. Educate users to avoid opening untrusted or suspicious documents that could exploit this vulnerability. 7. Use application sandboxing or containerization to limit the impact of potential crashes and isolate MuPDF processes. 8. Coordinate with software vendors and security teams to integrate vulnerability scanning and patch management for MuPDF dependencies.