VulnerableCode Package Details - pkg:deb/debian/poppler@20.09.0-3.1%2Bdeb11u1

Search for packages

Vulnerability	Summary	Fixed by
VCID-1w5c-axe5-mbb5 Aliases: CVE-2020-36023	An issue was discovered in freedesktop poppler version 20.12.1, allows remote attackers to cause a denial of service (DoS) via crafted .pdf file to FoFiType1C::cvtGlyph function.	22.12.0-2+deb12u1 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-5j7m-cczq-yuev Aliases: CVE-2022-37051	An issue was discovered in Poppler 22.07.0. There is a reachable abort which leads to denial of service because the main function in pdfunite.cc lacks a stream check before saving an embedded file.	22.12.0-2+deb12u1 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-5ynz-7776-3bbt Aliases: CVE-2025-43903	NSSCryptoSignBackend.cc in Poppler before 25.04.0 does not verify the adbe.pkcs7.sha1 signatures on documents, resulting in potential signature forgeries.	25.03.0-5 Affected by 0 other vulnerabilities.
VCID-avnr-t9ny-vqam Aliases: CVE-2024-6239	A flaw was found in the Poppler's Pdfinfo utility. This issue occurs when using -dests parameter with pdfinfo utility. By using certain malformed input files, an attacker could cause the utility to crash, leading to a denial of service.	25.03.0-5 Affected by 0 other vulnerabilities.
VCID-bh11-g94j-mfc4 Aliases: CVE-2022-37052	A reachable Object::getString assertion in Poppler 22.07.0 allows attackers to cause a denial of service due to a failure in markObject.	22.12.0-2+deb12u1 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-chds-xndj-tffu Aliases: CVE-2025-52886	Poppler is a PDF rendering library. Versions prior to 25.06.0 use `std::atomic_int` for reference counting. Because `std::atomic_int` is only 32 bits, it is possible to overflow the reference count and trigger a use-after-free. Version 25.06.0 patches the issue.	25.03.0-5 Affected by 0 other vulnerabilities.
VCID-p8zt-gbzd-yyf8 Aliases: CVE-2022-38349	An issue was discovered in Poppler 22.08.0. There is a reachable assertion in Object.h, will lead to denial of service because PDFDoc::replacePageDict in PDFDoc.cc lacks a stream check before saving an embedded file.	22.12.0-2+deb12u1 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-sam6-g21p-27ct Aliases: CVE-2020-36024	An issue was discovered in freedesktop poppler version 20.12.1, allows remote attackers to cause a denial of service (DoS) via crafted .pdf file to FoFiType1C::convertToType1 function.	22.12.0-2+deb12u1 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-sd6h-f97f-t3af Aliases: CVE-2025-32365	Poppler before 25.04.0 allows crafted input files to trigger out-of-bounds reads in the JBIG2Bitmap::combine function in JBIG2Stream.cc because of a misplaced isOk check.	22.12.0-2+deb12u1 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-w1t7-xbb5-3qh1 Aliases: CVE-2024-56378	libpoppler.so in Poppler through 24.12.0 has an out-of-bounds read vulnerability within the JBIG2Bitmap::combine function in JBIG2Stream.cc.	22.12.0-2+deb12u1 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-wxqy-xnjs-nkd1 Aliases: CVE-2025-32364	A floating-point exception in the PSStack::roll function of Poppler before 25.04.0 can cause an application to crash when handling malformed inputs associated with INT_MIN.	22.12.0-2+deb12u1 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-yzxk-8kas-tbgp Aliases: CVE-2022-37050	In Poppler 22.07.0, PDFDoc::savePageAs in PDFDoc.c callows attackers to cause a denial-of-service (application crashes with SIGABRT) by crafting a PDF file in which the xref data structure is mishandled in getCatalog processing. Note that this vulnerability is caused by the incomplete patch of CVE-2018-20662.	22.12.0-2+deb12u1 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-1w5c-axe5-mbb5
Aliases:
CVE-2020-36023

An issue was discovered in freedesktop poppler version 20.12.1, allows remote attackers to cause a denial of service (DoS) via crafted .pdf file to FoFiType1C::cvtGlyph function.

22.12.0-2+deb12u1
Affected by 3 other vulnerabilities.

VCID-5j7m-cczq-yuev
Aliases:
CVE-2022-37051

An issue was discovered in Poppler 22.07.0. There is a reachable abort which leads to denial of service because the main function in pdfunite.cc lacks a stream check before saving an embedded file.

22.12.0-2+deb12u1
Affected by 3 other vulnerabilities.

VCID-5ynz-7776-3bbt
Aliases:
CVE-2025-43903

NSSCryptoSignBackend.cc in Poppler before 25.04.0 does not verify the adbe.pkcs7.sha1 signatures on documents, resulting in potential signature forgeries.

25.03.0-5
Affected by 0 other vulnerabilities.

VCID-avnr-t9ny-vqam
Aliases:
CVE-2024-6239

A flaw was found in the Poppler's Pdfinfo utility. This issue occurs when using -dests parameter with pdfinfo utility. By using certain malformed input files, an attacker could cause the utility to crash, leading to a denial of service.

25.03.0-5
Affected by 0 other vulnerabilities.

VCID-bh11-g94j-mfc4
Aliases:
CVE-2022-37052

A reachable Object::getString assertion in Poppler 22.07.0 allows attackers to cause a denial of service due to a failure in markObject.

22.12.0-2+deb12u1
Affected by 3 other vulnerabilities.

VCID-chds-xndj-tffu
Aliases:
CVE-2025-52886

Poppler is a PDF rendering library. Versions prior to 25.06.0 use `std::atomic_int` for reference counting. Because `std::atomic_int` is only 32 bits, it is possible to overflow the reference count and trigger a use-after-free. Version 25.06.0 patches the issue.

25.03.0-5
Affected by 0 other vulnerabilities.

VCID-p8zt-gbzd-yyf8
Aliases:
CVE-2022-38349

An issue was discovered in Poppler 22.08.0. There is a reachable assertion in Object.h, will lead to denial of service because PDFDoc::replacePageDict in PDFDoc.cc lacks a stream check before saving an embedded file.

22.12.0-2+deb12u1
Affected by 3 other vulnerabilities.

VCID-sam6-g21p-27ct
Aliases:
CVE-2020-36024

An issue was discovered in freedesktop poppler version 20.12.1, allows remote attackers to cause a denial of service (DoS) via crafted .pdf file to FoFiType1C::convertToType1 function.

22.12.0-2+deb12u1
Affected by 3 other vulnerabilities.

VCID-sd6h-f97f-t3af
Aliases:
CVE-2025-32365

Poppler before 25.04.0 allows crafted input files to trigger out-of-bounds reads in the JBIG2Bitmap::combine function in JBIG2Stream.cc because of a misplaced isOk check.

22.12.0-2+deb12u1
Affected by 3 other vulnerabilities.

VCID-w1t7-xbb5-3qh1
Aliases:
CVE-2024-56378

libpoppler.so in Poppler through 24.12.0 has an out-of-bounds read vulnerability within the JBIG2Bitmap::combine function in JBIG2Stream.cc.

22.12.0-2+deb12u1
Affected by 3 other vulnerabilities.

VCID-wxqy-xnjs-nkd1
Aliases:
CVE-2025-32364

A floating-point exception in the PSStack::roll function of Poppler before 25.04.0 can cause an application to crash when handling malformed inputs associated with INT_MIN.

22.12.0-2+deb12u1
Affected by 3 other vulnerabilities.

VCID-yzxk-8kas-tbgp
Aliases:
CVE-2022-37050

In Poppler 22.07.0, PDFDoc::savePageAs in PDFDoc.c callows attackers to cause a denial-of-service (application crashes with SIGABRT) by crafting a PDF file in which the xref data structure is mishandled in getCatalog processing. Note that this vulnerability is caused by the incomplete patch of CVE-2018-20662.

22.12.0-2+deb12u1
Affected by 3 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-13qc-nqyc-f7d2	Poppler prior to and including 22.08.0 contains an integer overflow in the JBIG2 decoder (JBIG2Stream::readTextRegionSeg() in JBIGStream.cc). Processing a specially crafted PDF file or JBIG2 image could lead to a crash or the execution of arbitrary code. This is similar to the vulnerability described by CVE-2022-38171 in Xpdf.	CVE-2022-38784
VCID-8x86-nhbd-gufh	An issue was discovered in Poppler 0.71.0. There is a memory leak in GfxColorSpace::setDisplayProfile in GfxState.cc, as demonstrated by pdftocairo.	CVE-2018-18897
VCID-92s6-szxa-1qds	An issue was discovered in Poppler through 0.78.0. There is a divide-by-zero error in the function SplashOutputDev::tilingPatternFill at SplashOutputDev.cc.	CVE-2019-14494
VCID-aqc4-jbue-fkff	The JPXStream::init function in Poppler 0.78.0 and earlier doesn't check for negative values of stream length, leading to an Integer Overflow, thereby making it possible to allocate a large memory chunk on the heap, with a size controlled by an attacker, as demonstrated by pdftocairo.	CVE-2019-9959
VCID-dzff-t65q-vuee	An issue was discovered in Poppler 0.74.0. There is a heap-based buffer over-read in the function PSOutputDev::checkPageSlice at PSOutputDev.cc.	CVE-2019-10871
VCID-eqbz-ekbm-zfab	A reachable Object::dictLookup assertion in Poppler 0.72.0 allows attackers to cause a denial of service due to the lack of a check for the dict data type, as demonstrated by use of the FileSpec class (in FileSpec.cc) in pdfdetach.	CVE-2018-20650
VCID-f73u-uzgx-v3fw	An issue was discovered in Poppler 0.71.0. There is a NULL pointer dereference in goo/GooString.h, will lead to denial of service, as demonstrated by utils/pdfdetach.cc not validating a filename of an embedded file before constructing a save path.	CVE-2018-19060
VCID-ft16-rjr8-hqdx	An issue was discovered in Poppler 0.71.0. There is a out-of-bounds read in EmbFile::save2 in FileSpec.cc, will lead to denial of service, as demonstrated by utils/pdfdetach.cc not validating embedded files before save attempts.	CVE-2018-19059
VCID-j82p-qpxc-dbfs	A logic error in the Hints::Hints function of Poppler v22.03.0 allows attackers to cause a Denial of Service (DoS) via a crafted PDF file.	CVE-2022-27337
VCID-mw2f-2u1d-pbep	A flaw was found in Poppler in the way certain PDF files were converted into HTML. A remote attacker could exploit this flaw by providing a malicious PDF file that, when processed by the 'pdftohtml' program, would crash the application causing a denial of service.	CVE-2020-27778
VCID-n7rt-f5sd-f7h6	Uncontrolled Recursion in pdfinfo, and pdftops in poppler 0.89.0 allows remote attackers to cause a denial of service via crafted input.	CVE-2020-23804
VCID-pjcg-14ye-xugt	Buffer Overflow vulnerability in HtmlOutputDev::page in poppler 0.75.0 allows attackers to cause a denial of service.	CVE-2020-18839
VCID-r8b4-sfyn-fydn	An issue was discovered in Poppler 0.71.0. There is a reachable abort in Object.h, will lead to denial of service because EmbFile::save2 in FileSpec.cc lacks a stream check before saving an embedded file.	CVE-2018-19058
VCID-sb5j-qhug-k7bk	poppler: infinite recursion in function FontInfoScanner::scanFonts in FontInfo.cc	CVE-2019-11026
VCID-u6b7-hsbd-uyfv	PDFDoc::markObject in PDFDoc.cc in Poppler 0.74.0 mishandles dict marking, leading to stack consumption in the function Dict::find() located at Dict.cc, which can (for example) be triggered by passing a crafted pdf file to the pdfunite binary.	CVE-2019-9903

Vulnerability

Summary

Aliases

VCID-13qc-nqyc-f7d2

Poppler prior to and including 22.08.0 contains an integer overflow in the JBIG2 decoder (JBIG2Stream::readTextRegionSeg() in JBIGStream.cc). Processing a specially crafted PDF file or JBIG2 image could lead to a crash or the execution of arbitrary code. This is similar to the vulnerability described by CVE-2022-38171 in Xpdf.

CVE-2022-38784

VCID-8x86-nhbd-gufh

An issue was discovered in Poppler 0.71.0. There is a memory leak in GfxColorSpace::setDisplayProfile in GfxState.cc, as demonstrated by pdftocairo.

CVE-2018-18897

VCID-92s6-szxa-1qds

An issue was discovered in Poppler through 0.78.0. There is a divide-by-zero error in the function SplashOutputDev::tilingPatternFill at SplashOutputDev.cc.

CVE-2019-14494

VCID-aqc4-jbue-fkff

The JPXStream::init function in Poppler 0.78.0 and earlier doesn't check for negative values of stream length, leading to an Integer Overflow, thereby making it possible to allocate a large memory chunk on the heap, with a size controlled by an attacker, as demonstrated by pdftocairo.

CVE-2019-9959

VCID-dzff-t65q-vuee

An issue was discovered in Poppler 0.74.0. There is a heap-based buffer over-read in the function PSOutputDev::checkPageSlice at PSOutputDev.cc.

CVE-2019-10871

VCID-eqbz-ekbm-zfab

A reachable Object::dictLookup assertion in Poppler 0.72.0 allows attackers to cause a denial of service due to the lack of a check for the dict data type, as demonstrated by use of the FileSpec class (in FileSpec.cc) in pdfdetach.

CVE-2018-20650

VCID-f73u-uzgx-v3fw

An issue was discovered in Poppler 0.71.0. There is a NULL pointer dereference in goo/GooString.h, will lead to denial of service, as demonstrated by utils/pdfdetach.cc not validating a filename of an embedded file before constructing a save path.

CVE-2018-19060

VCID-ft16-rjr8-hqdx

An issue was discovered in Poppler 0.71.0. There is a out-of-bounds read in EmbFile::save2 in FileSpec.cc, will lead to denial of service, as demonstrated by utils/pdfdetach.cc not validating embedded files before save attempts.

CVE-2018-19059

VCID-j82p-qpxc-dbfs

A logic error in the Hints::Hints function of Poppler v22.03.0 allows attackers to cause a Denial of Service (DoS) via a crafted PDF file.

CVE-2022-27337

VCID-mw2f-2u1d-pbep

A flaw was found in Poppler in the way certain PDF files were converted into HTML. A remote attacker could exploit this flaw by providing a malicious PDF file that, when processed by the 'pdftohtml' program, would crash the application causing a denial of service.

CVE-2020-27778

VCID-n7rt-f5sd-f7h6

Uncontrolled Recursion in pdfinfo, and pdftops in poppler 0.89.0 allows remote attackers to cause a denial of service via crafted input.

CVE-2020-23804

VCID-pjcg-14ye-xugt

Buffer Overflow vulnerability in HtmlOutputDev::page in poppler 0.75.0 allows attackers to cause a denial of service.

CVE-2020-18839

VCID-r8b4-sfyn-fydn

An issue was discovered in Poppler 0.71.0. There is a reachable abort in Object.h, will lead to denial of service because EmbFile::save2 in FileSpec.cc lacks a stream check before saving an embedded file.

CVE-2018-19058

VCID-sb5j-qhug-k7bk

poppler: infinite recursion in function FontInfoScanner::scanFonts in FontInfo.cc

CVE-2019-11026

VCID-u6b7-hsbd-uyfv

PDFDoc::markObject in PDFDoc.cc in Poppler 0.74.0 mishandles dict marking, leading to stack consumption in the function Dict::find() located at Dict.cc, which can (for example) be triggered by passing a crafted pdf file to the pdfunite binary.

CVE-2019-9903

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-08-01T20:17:23.253968+00:00	Debian Oval Importer	Affected by	VCID-wxqy-xnjs-nkd1	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T20:16:45.596143+00:00	Debian Oval Importer	Fixing	VCID-f73u-uzgx-v3fw	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T19:54:53.726298+00:00	Debian Oval Importer	Fixing	VCID-eqbz-ekbm-zfab	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T19:38:21.332580+00:00	Debian Oval Importer	Affected by	VCID-w1t7-xbb5-3qh1	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T19:33:09.532125+00:00	Debian Oval Importer	Fixing	VCID-aqc4-jbue-fkff	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T17:50:51.872059+00:00	Debian Oval Importer	Affected by	VCID-sam6-g21p-27ct	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T17:07:54.986059+00:00	Debian Oval Importer	Fixing	VCID-r8b4-sfyn-fydn	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T16:48:18.734988+00:00	Debian Oval Importer	Fixing	VCID-ft16-rjr8-hqdx	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T16:31:57.193494+00:00	Debian Oval Importer	Fixing	VCID-dzff-t65q-vuee	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T16:30:12.137529+00:00	Debian Oval Importer	Affected by	VCID-bh11-g94j-mfc4	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T16:26:04.572114+00:00	Debian Oval Importer	Affected by	VCID-5j7m-cczq-yuev	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T16:07:39.103068+00:00	Debian Oval Importer	Affected by	VCID-sd6h-f97f-t3af	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T15:34:28.424642+00:00	Debian Oval Importer	Fixing	VCID-u6b7-hsbd-uyfv	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T14:57:43.182619+00:00	Debian Oval Importer	Affected by	VCID-yzxk-8kas-tbgp	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T14:44:49.747006+00:00	Debian Oval Importer	Fixing	VCID-8x86-nhbd-gufh	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T14:25:02.545242+00:00	Debian Oval Importer	Fixing	VCID-mw2f-2u1d-pbep	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T14:15:47.722958+00:00	Debian Oval Importer	Fixing	VCID-13qc-nqyc-f7d2	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T13:46:59.148181+00:00	Debian Oval Importer	Fixing	VCID-n7rt-f5sd-f7h6	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T13:39:08.418068+00:00	Debian Oval Importer	Affected by	VCID-p8zt-gbzd-yyf8	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T13:20:35.083966+00:00	Debian Oval Importer	Fixing	VCID-92s6-szxa-1qds	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T13:13:44.503840+00:00	Debian Oval Importer	Fixing	VCID-pjcg-14ye-xugt	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T13:05:02.030579+00:00	Debian Importer	Affected by	VCID-5ynz-7776-3bbt	https://security-tracker.debian.org/tracker/data/json	37.0.0
2025-08-01T12:58:26.786488+00:00	Debian Oval Importer	Fixing	VCID-sb5j-qhug-k7bk	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T12:49:16.065980+00:00	Debian Importer	Affected by	VCID-chds-xndj-tffu	https://security-tracker.debian.org/tracker/data/json	37.0.0
2025-08-01T12:43:05.518273+00:00	Debian Oval Importer	Fixing	VCID-j82p-qpxc-dbfs	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T12:12:30.427131+00:00	Debian Importer	Affected by	VCID-avnr-t9ny-vqam	https://security-tracker.debian.org/tracker/data/json	37.0.0
2025-08-01T11:55:05.539919+00:00	Debian Oval Importer	Affected by	VCID-1w5c-axe5-mbb5	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0