[oss-security] GHSL-2025-054: Use After Free (UAF) in Poppler - CVE-2025-52886

Fri, 11 Jul 2025 16:01:47 -0700 

https://securitylab.github.com/advisories/GHSL-2025-054_poppler/ advises:


July 1, 2025
GHSL-2025-054: Use After Free (UAF) in Poppler - CVE-2025-52886
Author Kevin Backhouse

Coordinated Disclosure Timeline

    2025-04-03: Reported as a private issue:
        https://gitlab.freedesktop.org/poppler/poppler/-/issues/1581
    2025-06-02: Fixed by limiting the maximum number of annots:
        https://gitlab.freedesktop.org/poppler/poppler/-/merge_requests/1828
    2025-06-03: Issue made publicly visible:
        https://gitlab.freedesktop.org/poppler/poppler/-/issues/1581
    2025-06-03: Poppler 25.06.0 released:
        
https://gitlab.freedesktop.org/poppler/poppler/-/tree/poppler-25.06.0?ref_type=tags

Summary

poppler uses std::atomic_int for reference counting. Because it is only 32 bits,
it is possible to overflow the reference count and trigger a use-after-free.


Project

poppler


Tested Version

25.02.0


Details

Use-after-free due to reference count integer overflow (GHSL-2025-054)

poppler uses the type std::atomic_int for reference counting in four locations:

    Annot.h
    Array.h
    Dict.h
    Stream.h

Because std::atomic_int is only 32 bits, it’s possible to overflow one of these
reference counts, which can lead to a use-after-free memory corruption
vulnerability.

We have included a proof of concept which triggers an integer overflow on the
reference count in Annot.h. The poc file is only 3.1KB in size, but contains a
stream which decompresses to an array of annotations of size 0x1000000. That
array is referenced by 0x100 pages, which causes the reference count on the
annotation to be incremented 0x100000000 times, so it wraps around to zero and
the annotation is deleted. Run the poc like this:

    pdftohtml GHSL-2025-054_poppler_refcount.pdf


Impact

It’s possible that this use-after-free bug could be exploited to achieve code
execution in poppler. However, in our testing it took 12 hours to trigger the
use-after-free, so in practice the risk of exploitation is low.


CWEs

    CWE-190: “Integer Overflow or Wraparound”
    CWE-416: “Use After Free”
    CWE-911: “Improper Update of Reference Count”


CVE

    CVE-2025-52886


Credit

This issue was discovered and reported by GHSL team member @kevinbackhouse
(Kevin Backhouse).


Contact

You can contact the GHSL team at security...@github.com, please include a
reference to GHSL-2025-054 in any communication regarding this issue.


--
        -Alan Coopersmith-                 alan.coopersm...@oracle.com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Reply via email to