CVE-2026-10118
Public on 2026-06-01
Modified on 2026-06-01
Description
A flaw was found in Poppler's Splash backend. A remote attacker could exploit this vulnerability by crafting a malicious PDF file that, when rendered, triggers an integer overflow in the `tilingPatternFill` function. This overflow leads to an undersized heap memory allocation, allowing a subsequent out-of-bounds write. Successful exploitation could result in arbitrary code execution, information disclosure, or denial of service within the context of the application processing the PDF.
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | compat-poppler022 | Pending Fix | ||
| Amazon Linux 2023 | compat-poppler22 | Pending Fix | ||
| Amazon Linux 2 - Core | glib2 | Not Affected | ||
| Amazon Linux 2023 | glib2 | Not Affected | ||
| Amazon Linux 2 - Core | poppler | Pending Fix | ||
| Amazon Linux 2023 | poppler | Pending Fix | ||
| Amazon Linux 2 - Core | poppler-data | Not Affected | ||
| Amazon Linux 2023 | poppler-data | Not Affected |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |