GHSA-fhp4-pr5j-46m5: Muhammara has a NULL pointer dereference in LZWDecode filter when DecodeParms omits EarlyChange key
A NULL pointer dereference vulnerability exists in muhammara versions prior to 6.0.5 in the LZWDecode filter when processing PDF streams with a DecodeParms dictionary missing the EarlyChange key. This causes an access violation and crashes the process, resulting in a denial of service. The issue occurs because the code dereferences a NULL pointer without checking if the EarlyChange key is present. A fix involves adding a NULL check before dereferencing. This vulnerability affects applications that use muhammara to parse untrusted PDFs and can be triggered by a crafted PDF file.
AI Analysis
Technical Summary
The vulnerability in muhammara (<= 6.0.4) occurs in the PDFParser::CreateFilterForStream() function when handling PDF streams filtered with /LZWDecode. If the /DecodeParms dictionary is present but lacks the EarlyChange key, the code attempts to dereference a NULL pointer returned by QueryDictionaryObject, leading to an access violation (0xC0000005) and process crash. This is a classic NULL pointer dereference (CWE-476). The fix is to check if the pointer is non-NULL before calling GetValue(). This flaw enables denial of service by crashing the application processing malicious PDFs.
Potential Impact
The vulnerability causes a denial of service (DoS) by crashing any application using muhammara to parse PDF streams with the LZWDecode filter when the EarlyChange key is omitted in DecodeParms. There is no confidentiality or integrity impact reported. The crash results from an access violation due to NULL pointer dereference. No known exploits in the wild are reported.
Mitigation Recommendations
A fix is available in muhammara version 6.0.5 that adds a NULL check before dereferencing the EarlyChange key in the DecodeParms dictionary. Users should upgrade to version 6.0.5 or later to remediate this issue. Until upgraded, avoid processing untrusted PDFs with muhammara or apply the patch that adds the NULL pointer check as described in the vendor's fix snippet.
GHSA-fhp4-pr5j-46m5: Muhammara has a NULL pointer dereference in LZWDecode filter when DecodeParms omits EarlyChange key
Description
A NULL pointer dereference vulnerability exists in muhammara versions prior to 6.0.5 in the LZWDecode filter when processing PDF streams with a DecodeParms dictionary missing the EarlyChange key. This causes an access violation and crashes the process, resulting in a denial of service. The issue occurs because the code dereferences a NULL pointer without checking if the EarlyChange key is present. A fix involves adding a NULL check before dereferencing. This vulnerability affects applications that use muhammara to parse untrusted PDFs and can be triggered by a crafted PDF file.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in muhammara (<= 6.0.4) occurs in the PDFParser::CreateFilterForStream() function when handling PDF streams filtered with /LZWDecode. If the /DecodeParms dictionary is present but lacks the EarlyChange key, the code attempts to dereference a NULL pointer returned by QueryDictionaryObject, leading to an access violation (0xC0000005) and process crash. This is a classic NULL pointer dereference (CWE-476). The fix is to check if the pointer is non-NULL before calling GetValue(). This flaw enables denial of service by crashing the application processing malicious PDFs.
Potential Impact
The vulnerability causes a denial of service (DoS) by crashing any application using muhammara to parse PDF streams with the LZWDecode filter when the EarlyChange key is omitted in DecodeParms. There is no confidentiality or integrity impact reported. The crash results from an access violation due to NULL pointer dereference. No known exploits in the wild are reported.
Mitigation Recommendations
A fix is available in muhammara version 6.0.5 that adds a NULL check before dereferencing the EarlyChange key in the DecodeParms dictionary. Users should upgrade to version 6.0.5 or later to remediate this issue. Until upgraded, avoid processing untrusted PDFs with muhammara or apply the patch that adds the NULL pointer check as described in the vendor's fix snippet.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-fhp4-pr5j-46m5
- Osv Schema Version
- 1.4.0
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- HIGH
- Cvss Version
- 3.1
Threat ID: 6a3ef76827e9c79719fee79e
Added to database: 06/26/2026, 22:04:24 UTC
Last enriched: 06/26/2026, 22:07:05 UTC
Last updated: 06/27/2026, 01:18:56 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.