Fluid Attacks Database

Description

Poppler before 25.04.0 allows crafted input files to trigger out-of-bounds reads in the JBIG2Bitmap::combine function in JBIG2Stream.cc because of a misplaced isOk check.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	poppler	=22.12.0-2 \|\| >=0 <22.12.0-2+deb12u1	22.12.0-2+deb12u1
debian 11	poppler	=20.09.0-3.1 \|\| =20.09.0-3.1+deb11u1 \|\| >=0 <20.09.0-3.1+deb11u2	20.09.0-3.1+deb11u2
debian 13	poppler	>=0 <25.03.0-3	25.03.0-3
debian 14	poppler	>=0 <25.03.0-3	25.03.0-3
rpm rhel6	poppler	-	-
rpm rhel10.0	poppler	<0:24.02.0-7.el10_0	0:24.02.0-7.el10_0
rpm rhel7	poppler	-	-
rpm rhel8.4	poppler	<0:20.11.0-2.el8_4.2	0:20.11.0-2.el8_4.2
rpm rhel7	compat-poppler022	-	-
rpm rhel8	poppler	<0:20.11.0-13.el8_10	0:20.11.0-13.el8_10

1-10 of 14

Aliases

1. CVE-2025-323652. NVD-2025-323653. OSV-DEBIAN-2025-323654. OSV-2025-323655. SECURITY-TRACKER-CVE-2025-32365

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.