CVE-2026-25556 is a double-free vulnerability identified in Artifex Software's MuPDF library, specifically affecting versions 1.23.0 through 1.27.0. The vulnerability resides in the function fz_fill_pixmap_from_display_list(), which is responsible for rendering display lists into pixmaps. When an exception occurs during rendering, the function erroneously frees a caller-owned fz_pixmap pointer in its error handling path before rethrowing the exception. Since the caller also frees the same pixmap during cleanup, this leads to a double-free condition. This heap corruption can cause the process to crash or potentially be exploited to execute arbitrary code, although no public exploits are known. The issue is particularly relevant when MuPDF's barcode decoding feature is enabled, as the barcode decoding path (fz_decode_barcode_from_display_list) uses this function and can be triggered by crafted inputs that cause rendering errors during barcode decoding. The vulnerability does not require privileges but does require user interaction to process maliciously crafted documents. The CVSS v4.0 base score is 5.9, reflecting a medium severity with network attack vector, low attack complexity, partial attack prerequisites, and user interaction required. The vulnerability impacts confidentiality minimally but can significantly affect availability due to crashes. No patches are linked yet, so users must monitor vendor advisories. This flaw is categorized under CWE-415 (Double Free).

The primary impact of CVE-2026-25556 is the potential for denial of service through application crashes caused by heap corruption. In environments where MuPDF is embedded in document viewers or processing tools that handle barcode decoding, attackers can craft malicious PDF files that trigger this vulnerability, causing the application to terminate unexpectedly. While no known exploits currently exist for arbitrary code execution, the heap corruption could be leveraged in complex attack chains to escalate impact. Organizations relying on automated document processing, especially those using barcode data extraction, may face operational disruptions. This could affect sectors such as logistics, healthcare, finance, and government where barcode-embedded documents are common. The vulnerability's requirement for user interaction limits remote exploitation but does not eliminate risk, especially in environments where users open untrusted documents. The absence of patches increases exposure duration. Overall, the threat could lead to service interruptions, potential data processing delays, and increased incident response costs.

To mitigate CVE-2026-25556, organizations should first monitor Artifex Software's official channels for patches addressing this vulnerability and apply updates promptly once available. Until patches are released, disabling the barcode decoding feature in MuPDF is a practical mitigation to prevent triggering the vulnerable code path. Additionally, organizations should implement strict document handling policies, including scanning and sandboxing PDF files before processing or opening them in MuPDF-based applications. Employing endpoint protection solutions that detect anomalous application crashes or heap corruption patterns can aid in early detection. Training users to avoid opening untrusted or suspicious PDF documents reduces the risk of exploitation. For developers embedding MuPDF, reviewing and modifying error handling in fz_fill_pixmap_from_display_list() to prevent double-free conditions is recommended. Finally, maintaining robust backup and incident response plans will help mitigate operational impacts if exploitation occurs.