CVE-2026-7233
Artifex MuPDF CFF Index subset-cff.c fz_subset_cff_for_gids out-of-bounds
CVSS Score
3.3
EPSS Score
0.0%
EPSS Percentile
0th
A vulnerability was determined in Artifex MuPDF up to 1.28.0. The impacted element is the function fz_subset_cff_for_gids of the file subset-cff.c of the component CFF Index Handler. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through a bug report but has not responded yet.
| CWE | CWE-125 CWE-119 |
| Vendor | artifex |
| Product | mupdf |
| Published | Apr 28, 2026 |
Stay Ahead of the Next One
Get instant alerts for artifex mupdf
Be the first to know when new low vulnerabilities affecting artifex mupdf are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
Artifex / MuPDF
1.0 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.9 1.10 1.11 1.12 1.13 1.14 1.15 1.16 1.17 1.18 1.19 1.20 1.21 1.22 1.23 1.24 1.25 1.26 1.27 1.28.0
References
vuldb.com: https://vuldb.com/vuln/359840 vuldb.com: https://vuldb.com/vuln/359840/cti vuldb.com: https://vuldb.com/submit/802590 bugs.ghostscript.com: https://bugs.ghostscript.com/show_bug.cgi?id=709328 github.com: https://github.com/biniamf/pocs/tree/main/mupdf-cff-indexload-oobread artifex.com: https://artifex.com/
Credits
๐ biniam (VulDB User) VulDB CNA Team