CVE-2026-7233: Out-of-Bounds Read in Artifex MuPDF
CVE-2026-7233 is an out-of-bounds read vulnerability in Artifex MuPDF up to version 1. 28. 0, specifically in the function fz_subset_cff_for_gids within the CFF Index Handler component. This flaw allows local attackers to cause an out-of-bounds read. The vulnerability has been publicly disclosed, but no official response or patch from the vendor is currently available. The CVSS score is 4. 8, indicating a medium severity level. Exploitation requires local access and no user interaction is needed. No known exploits in the wild have been reported.
AI Analysis
Technical Summary
This vulnerability exists in the fz_subset_cff_for_gids function of the subset-cff.c file in Artifex MuPDF versions up to 1.28.0. It results in an out-of-bounds read condition when handling CFF Index data. The attack vector is local, requiring the attacker to have local access to the system. The vulnerability was responsibly disclosed to the project, but no patch or official remediation has been provided as of the publication date. The CVSS 4.0 vector indicates low attack complexity and privileges required, with no user interaction necessary.
Potential Impact
An attacker with local access can trigger an out-of-bounds read, which may lead to information disclosure or application instability. The vulnerability does not allow remote exploitation or privilege escalation based on the available data. No known active exploitation has been reported.
Mitigation Recommendations
No official fix or patch is currently available from the vendor. Users should monitor the vendor's advisories for updates. Until a patch is released, restricting local access to trusted users and limiting the use of vulnerable MuPDF versions may reduce risk. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
CVE-2026-7233: Out-of-Bounds Read in Artifex MuPDF
Description
CVE-2026-7233 is an out-of-bounds read vulnerability in Artifex MuPDF up to version 1. 28. 0, specifically in the function fz_subset_cff_for_gids within the CFF Index Handler component. This flaw allows local attackers to cause an out-of-bounds read. The vulnerability has been publicly disclosed, but no official response or patch from the vendor is currently available. The CVSS score is 4. 8, indicating a medium severity level. Exploitation requires local access and no user interaction is needed. No known exploits in the wild have been reported.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability exists in the fz_subset_cff_for_gids function of the subset-cff.c file in Artifex MuPDF versions up to 1.28.0. It results in an out-of-bounds read condition when handling CFF Index data. The attack vector is local, requiring the attacker to have local access to the system. The vulnerability was responsibly disclosed to the project, but no patch or official remediation has been provided as of the publication date. The CVSS 4.0 vector indicates low attack complexity and privileges required, with no user interaction necessary.
Potential Impact
An attacker with local access can trigger an out-of-bounds read, which may lead to information disclosure or application instability. The vulnerability does not allow remote exploitation or privilege escalation based on the available data. No known active exploitation has been reported.
Mitigation Recommendations
No official fix or patch is currently available from the vendor. Users should monitor the vendor's advisories for updates. Until a patch is released, restricting local access to trusted users and limiting the use of vulnerable MuPDF versions may reduce risk. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-04-27T17:00:07.970Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f0521fcbff5d8610c67dc3
Added to database: 4/28/2026, 6:22:23 AM
Last enriched: 4/28/2026, 6:36:36 AM
Last updated: 4/28/2026, 8:38:28 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.