Introduction
Every Linux desktop environment that renders PDFs likely depends on Poppler, and a single malformed tiling pattern in a crafted PDF can now turn that dependency into a code execution vector. CVE-2026-10118 is an integer overflow in Poppler's Splash backend that, when triggered during PDF rendering, produces an undersized heap allocation and a subsequent out of bounds write, opening the door to arbitrary code execution within the context of the application processing the file.
Poppler is the default PDF rendering library for GNOME's Evince and KDE's Okular, and it powers tools like GIMP, Inkscape, LibreOffice, and the widely deployed pdftoppm and pdftotext command line utilities. Its reach extends well beyond desktop viewers into automated document processing pipelines on servers, making the attack surface substantial.
Technical Information
Root Cause: Integer Overflow in Dimension Calculations
CVE-2026-10118 is classified under CWE-190 (Integer Overflow or Wraparound), with Red Hat additionally mapping it to CWE-122 (Heap-based Buffer Overflow) to capture the downstream consequence. The vulnerability carries a CVSS v3 base score of 7.8.
The flaw resides in the tilingPatternFill function within Poppler's Splash rendering backend. During the processing of a PDF tiling pattern, this function computes result_width and result_height values that are subsequently passed to Splash::drawImage(). An attacker can craft a PDF file containing a /Pattern dictionary with specific /Matrix and /BBox values that cause these dimension calculations to overflow. When the integer overflow occurs, the resulting values wrap around to a much smaller number than intended, leading to an undersized heap memory allocation via malloc. The rendering pipeline then proceeds to write image data into this buffer based on the original (pre-overflow) dimensions, producing a classic heap buffer overflow.
The vulnerability was reported by Aisle Research and documented in the upstream GitLab issue tracker.
Affected Code Paths
AddressSanitizer output from the GitLab issue identifies the following affected functions and source locations:
| Function | Source File | Line | Role |
|---|---|---|---|
SplashOutputDev::tilingBitmapSrc | poppler/SplashOutputDev.cc | 3134 | Overflow manifests as heap buffer overflow write |
Splash::scaleImageYdownXdown | splash/Splash.cc | 4087 | Image scaling path involved in overflow propagation |
Splash::drawImage | splash/Splash.cc | 3633 | Receives overflowed dimensions from tilingPatternFill |
The full call stack traces from main (in the pdftoppm utility) through PDFDoc::displayPageSlice, Page::displaySlice, Gfx::display, Gfx::go, Gfx::execOp, Gfx::opFill, Gfx::doPatternFill, Gfx::doTilingPatternFill, SplashOutputDev::tilingPatternFill, into Splash::drawImage, and finally to the crashing point at SplashOutputDev::tilingBitmapSrc. This confirms the overflow is triggered during normal PDF rendering when the engine encounters a crafted tiling pattern.
The AddressSanitizer output confirmed a heap buffer overflow on a write of size 1, occurring immediately after a 1,699,176 byte region allocated by malloc. This confirms the undersized allocation followed by out of bounds write pattern.
Attack Flow
The exploitation path is straightforward and requires no authentication or special privileges:
- An attacker crafts a malicious PDF file containing a
/Patternobject with manipulated/Matrixand/BBoxvalues designed to trigger the integer overflow in the dimension calculations. - The attacker delivers this PDF to a victim via email, web download, or any other file transfer mechanism.
- When the victim opens the PDF in any application using Poppler's Splash backend (Evince, Okular, pdftoppm, etc.), the rendering engine processes the tiling pattern.
- The
tilingPatternFillfunction computesresult_widthandresult_height, which overflow due to the crafted values. - An undersized heap buffer is allocated based on the overflowed (wrapped around) dimensions.
- The subsequent image rendering writes data beyond the allocated buffer, corrupting heap memory.
- Depending on heap layout and exploitation technique, this can lead to arbitrary code execution, information disclosure, or denial of service within the context of the application processing the PDF.
The attack vector is network/remote with low attack complexity. The upstream GitLab issue provides a reproduction command: pdftoppm -png ./reproducer-oob.pdf output -r 2500.
Affected Systems and Versions
All versions of Poppler prior to 26.05.0 (released May 3, 2026) that use the Splash rendering backend are affected. The upstream fix is incorporated into Poppler 26.05.0.
Applications linked against vulnerable versions of Poppler's Splash backend include:
| Application | Binding | Desktop/Platform |
|---|---|---|
| Evince | GLib | GNOME |
| Okular | Qt5 | KDE |
| GIMP | GTK | Cross platform |
| Inkscape | GTK | Cross platform |
| LibreOffice 4.x | GTK | Cross platform |
| Zathura | GTK | Lightweight |
| pdftoppm, pdftotext, pdftohtml | CLI | Command line utilities |
The poppler-utils package, bundled with most Linux distributions, provides command line tools (pdfattach, pdfdetach, pdffonts, pdfimages, pdfinfo, pdfseparate, pdftocairo, pdftohtml, pdftoppm, pdftops, pdftotext, pdfunite) that are widely used in automated document processing pipelines.
As of June 1, 2026, distribution level patches specifically addressing CVE-2026-10118 have not yet been confirmed for RHEL, Debian, or Ubuntu. Earlier 2026 RHSAs for Poppler (RHSA-2026:0126, RHSA-2026:0774, RHSA-2026:0795, RHSA-2026:0773) address CVE-2025-32365, not this vulnerability.
Vendor Security History
Poppler has accumulated at least 27 CVEs according to CVEDetails, with a recurring pattern of memory corruption vulnerabilities triggered by crafted PDF input. The Splash backend has been a repeated source of these issues:
| CVE | Year | Type | Description |
|---|---|---|---|
| CVE-2013-1789 | 2013 | NULL pointer dereference | Denial of service via crafted input in splash/Splash.cc |
| CVE-2017-9406 | 2017 | Memory leak | Denial of service via gmalloc in gmem.cc |
| CVE-2020-35702 | 2020 | Heap based buffer overflow | DCTStream::getChars in DCTStream.cc |
| CVE-2025-32365 | 2025 | Out of bounds read | Crafted PDF triggering OOB read in Poppler |
| CVE-2025-50422 | 2025 | Assertion failure | Cairo assertion failure via Poppler through 25.08.0 |
| CVE-2026-10118 | 2026 | Integer overflow to heap buffer overflow | tilingPatternFill in Splash backend |
The recurrence of heap based buffer overflows and out of bounds access vulnerabilities, particularly in the Splash backend (CVE-2013-1789, CVE-2020-35702, CVE-2026-10118), indicates a persistent attack surface in Poppler's handling of complex PDF structures. Neither the Splash nor Cairo backend is inherently safer; CVE-2025-50422 demonstrates that the Cairo path has its own vulnerability history. This pattern suggests that organizations should implement defense in depth for all PDF processing rather than relying solely on patching individual CVEs.
References
- NVD: CVE-2026-10118
- Red Hat CVE Page: CVE-2026-10118
- Red Hat Bugzilla: Bug 2460428
- Upstream GitLab Issue: Heap Buffer Overflow in tilingPatternFill via Integer Overflow (#1715)
- Poppler Releases
- Poppler GitLab Repository
- Poppler Freedesktop Wiki
- Debian Security Tracker: poppler
- CVEDetails: Poppler Vulnerabilities
- CVEDetails: CVE-2013-1789
- CVEDetails: CVE-2020-35702
- CVEDetails: CVE-2025-50422
- Proofpoint: 2026 Vulnerability Exploitation in the Wild
- RHSA-2026:0126
- RHSA-2026:0774
- Wikipedia: Poppler (software)



