[<prev] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAMmasONXdsUzxN1nCmyVcjQvw_eV-2Ys-4ZPPod_UD93t-MtgQ@mail.gmail.com>
Date: Sat, 12 Jul 2025 12:01:56 +0100
From: Kevin Backhouse <kevinbackhouse@...hub.com>
To: oss-security@...ts.openwall.com
Subject: Re: GHSL-2025-054: Use After Free (UAF) in Poppler - CVE-2025-52886
Hi Alan,
Thanks for posting this one! I didn't send it to the list myself
because I don't think it's realistically exploitable: it takes too
long to trigger the integer overflow. But for anybody who's
interested, the poc is here:
https://github.com/github/securitylab/tree/main/SecurityExploits/freedesktop/poppler-CVE-2025-52886
Thanks,
Kev
On Sat, Jul 12, 2025 at 12:01 AM Alan Coopersmith
<alan.coopersmith@...cle.com> wrote:
>
> https://securitylab.github.com/advisories/GHSL-2025-054_poppler/ advises:
>
> > July 1, 2025
> > GHSL-2025-054: Use After Free (UAF) in Poppler - CVE-2025-52886
> > Author Kevin Backhouse
> >
> > Coordinated Disclosure Timeline
> >
> > 2025-04-03: Reported as a private issue:
> > https://gitlab.freedesktop.org/poppler/poppler/-/issues/1581
> > 2025-06-02: Fixed by limiting the maximum number of annots:
> > https://gitlab.freedesktop.org/poppler/poppler/-/merge_requests/1828
> > 2025-06-03: Issue made publicly visible:
> > https://gitlab.freedesktop.org/poppler/poppler/-/issues/1581
> > 2025-06-03: Poppler 25.06.0 released:
> > https://gitlab.freedesktop.org/poppler/poppler/-/tree/poppler-25.06.0?ref_type=tags
> >
> > Summary
> >
> > poppler uses std::atomic_int for reference counting. Because it is only 32 bits,
> > it is possible to overflow the reference count and trigger a use-after-free.
> >
> >
> > Project
> >
> > poppler
> >
> >
> > Tested Version
> >
> > 25.02.0
> >
> >
> > Details
> >
> > Use-after-free due to reference count integer overflow (GHSL-2025-054)
> >
> > poppler uses the type std::atomic_int for reference counting in four locations:
> >
> > Annot.h
> > Array.h
> > Dict.h
> > Stream.h
> >
> > Because std::atomic_int is only 32 bits, it’s possible to overflow one of these
> > reference counts, which can lead to a use-after-free memory corruption
> > vulnerability.
> >
> > We have included a proof of concept which triggers an integer overflow on the
> > reference count in Annot.h. The poc file is only 3.1KB in size, but contains a
> > stream which decompresses to an array of annotations of size 0x1000000. That
> > array is referenced by 0x100 pages, which causes the reference count on the
> > annotation to be incremented 0x100000000 times, so it wraps around to zero and
> > the annotation is deleted. Run the poc like this:
> >
> > pdftohtml GHSL-2025-054_poppler_refcount.pdf
> >
> >
> > Impact
> >
> > It’s possible that this use-after-free bug could be exploited to achieve code
> > execution in poppler. However, in our testing it took 12 hours to trigger the
> > use-after-free, so in practice the risk of exploitation is low.
> >
> >
> > CWEs
> >
> > CWE-190: “Integer Overflow or Wraparound”
> > CWE-416: “Use After Free”
> > CWE-911: “Improper Update of Reference Count”
> >
> >
> > CVE
> >
> > CVE-2025-52886
> >
> >
> > Credit
> >
> > This issue was discovered and reported by GHSL team member @kevinbackhouse
> > (Kevin Backhouse).
> >
> >
> > Contact
> >
> > You can contact the GHSL team at securitylab@...hub.com, please include a
> > reference to GHSL-2025-054 in any communication regarding this issue.
>
> --
> -Alan Coopersmith- alan.coopersmith@...cle.com
> Oracle Solaris Engineering - https://blogs.oracle.com/solaris
>
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
