Source: okular Version: 4:26.04.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi >From https://kde.org/info/security/advisory-20260511-5.txt KDE Project Security Advisory ============================= Title: Okular: integer overflow in fax image allocation leads to undersized heap allocation Risk Rating: Critical CVE: PENDING Versions: Okular <= 26.04.0 Author: George Karagiannidis Date: 11 May 2026 Overview ======== Okular is a universal document viewer. The fax backend in generators/fax/faxdocument.cpp uses attacker-controlled image dimensions and decoded line counts in allocation arithmetic without performing overflow checks. A crafted fax file can cause the allocation size calculation to overflow, producing a heap buffer that is far smaller than the caller expects. Subsequent pixel writes indexed by the original unclipped dimensions then overwrite memory beyond the allocation. Impact ====== Opening a crafted fax file with malicious dimensions or a compressed bitstream that decodes to an unusually large line count triggers a heap out-of-bounds write in the fax parser. This can be exploited to achieve code execution by enticing the victim to open a malicious .g3 or .g4 file. Workaround ========== Do not open untrusted .g3 or .g4 fax files in vulnerable Okular builds. Solution ======== Update Okular >= 26.04.1 or apply https://commits.kde.org/okular/49cccdec814b2ddb0a403b63994114f09b007a2c Credits ======= Thanks to George Karagiannidis from TwelveSec for reporting this issue. Regards, salvatore
