Hi Alan, Thanks for posting this one! I didn't send it to the list myself because I don't think it's realistically exploitable: it takes too long to trigger the integer overflow. But for anybody who's interested, the poc is here:
https://github.com/github/securitylab/tree/main/SecurityExploits/freedesktop/poppler-CVE-2025-52886 Thanks, Kev On Sat, Jul 12, 2025 at 12:01 AM Alan Coopersmith <alan.coopersm...@oracle.com> wrote: > > https://securitylab.github.com/advisories/GHSL-2025-054_poppler/ advises: > > > July 1, 2025 > > GHSL-2025-054: Use After Free (UAF) in Poppler - CVE-2025-52886 > > Author Kevin Backhouse > > > > Coordinated Disclosure Timeline > > > > 2025-04-03: Reported as a private issue: > > https://gitlab.freedesktop.org/poppler/poppler/-/issues/1581 > > 2025-06-02: Fixed by limiting the maximum number of annots: > > https://gitlab.freedesktop.org/poppler/poppler/-/merge_requests/1828 > > 2025-06-03: Issue made publicly visible: > > https://gitlab.freedesktop.org/poppler/poppler/-/issues/1581 > > 2025-06-03: Poppler 25.06.0 released: > > > > https://gitlab.freedesktop.org/poppler/poppler/-/tree/poppler-25.06.0?ref_type=tags > > > > Summary > > > > poppler uses std::atomic_int for reference counting. Because it is only 32 > > bits, > > it is possible to overflow the reference count and trigger a use-after-free. > > > > > > Project > > > > poppler > > > > > > Tested Version > > > > 25.02.0 > > > > > > Details > > > > Use-after-free due to reference count integer overflow (GHSL-2025-054) > > > > poppler uses the type std::atomic_int for reference counting in four > > locations: > > > > Annot.h > > Array.h > > Dict.h > > Stream.h > > > > Because std::atomic_int is only 32 bits, it’s possible to overflow one of > > these > > reference counts, which can lead to a use-after-free memory corruption > > vulnerability. > > > > We have included a proof of concept which triggers an integer overflow on > > the > > reference count in Annot.h. The poc file is only 3.1KB in size, but > > contains a > > stream which decompresses to an array of annotations of size 0x1000000. That > > array is referenced by 0x100 pages, which causes the reference count on the > > annotation to be incremented 0x100000000 times, so it wraps around to zero > > and > > the annotation is deleted. Run the poc like this: > > > > pdftohtml GHSL-2025-054_poppler_refcount.pdf > > > > > > Impact > > > > It’s possible that this use-after-free bug could be exploited to achieve > > code > > execution in poppler. However, in our testing it took 12 hours to trigger > > the > > use-after-free, so in practice the risk of exploitation is low. > > > > > > CWEs > > > > CWE-190: “Integer Overflow or Wraparound” > > CWE-416: “Use After Free” > > CWE-911: “Improper Update of Reference Count” > > > > > > CVE > > > > CVE-2025-52886 > > > > > > Credit > > > > This issue was discovered and reported by GHSL team member @kevinbackhouse > > (Kevin Backhouse). > > > > > > Contact > > > > You can contact the GHSL team at security...@github.com, please include a > > reference to GHSL-2025-054 in any communication regarding this issue. > > -- > -Alan Coopersmith- alan.coopersm...@oracle.com > Oracle Solaris Engineering - https://blogs.oracle.com/solaris >
