ZeroPath at Black Hat USA 2026

Poppler CVE-2026-10118: Quick Look at the Integer Overflow in tilingPatternFill Leading to Heap Corruption

A brief summary of CVE-2026-10118, a high severity integer overflow in Poppler's Splash backend that enables remote code execution via crafted PDF files, affecting major Linux PDF viewers and command line utilities.

CVE Analysis

8 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-01

Poppler CVE-2026-10118: Quick Look at the Integer Overflow in tilingPatternFill Leading to Heap Corruption
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Every Linux desktop environment that renders PDFs likely depends on Poppler, and a single malformed tiling pattern in a crafted PDF can now turn that dependency into a code execution vector. CVE-2026-10118 is an integer overflow in Poppler's Splash backend that, when triggered during PDF rendering, produces an undersized heap allocation and a subsequent out of bounds write, opening the door to arbitrary code execution within the context of the application processing the file.

Poppler is the default PDF rendering library for GNOME's Evince and KDE's Okular, and it powers tools like GIMP, Inkscape, LibreOffice, and the widely deployed pdftoppm and pdftotext command line utilities. Its reach extends well beyond desktop viewers into automated document processing pipelines on servers, making the attack surface substantial.

Technical Information

Root Cause: Integer Overflow in Dimension Calculations

CVE-2026-10118 is classified under CWE-190 (Integer Overflow or Wraparound), with Red Hat additionally mapping it to CWE-122 (Heap-based Buffer Overflow) to capture the downstream consequence. The vulnerability carries a CVSS v3 base score of 7.8.

The flaw resides in the tilingPatternFill function within Poppler's Splash rendering backend. During the processing of a PDF tiling pattern, this function computes result_width and result_height values that are subsequently passed to Splash::drawImage(). An attacker can craft a PDF file containing a /Pattern dictionary with specific /Matrix and /BBox values that cause these dimension calculations to overflow. When the integer overflow occurs, the resulting values wrap around to a much smaller number than intended, leading to an undersized heap memory allocation via malloc. The rendering pipeline then proceeds to write image data into this buffer based on the original (pre-overflow) dimensions, producing a classic heap buffer overflow.

The vulnerability was reported by Aisle Research and documented in the upstream GitLab issue tracker.

Affected Code Paths

AddressSanitizer output from the GitLab issue identifies the following affected functions and source locations:

FunctionSource FileLineRole
SplashOutputDev::tilingBitmapSrcpoppler/SplashOutputDev.cc3134Overflow manifests as heap buffer overflow write
Splash::scaleImageYdownXdownsplash/Splash.cc4087Image scaling path involved in overflow propagation
Splash::drawImagesplash/Splash.cc3633Receives overflowed dimensions from tilingPatternFill

The full call stack traces from main (in the pdftoppm utility) through PDFDoc::displayPageSlice, Page::displaySlice, Gfx::display, Gfx::go, Gfx::execOp, Gfx::opFill, Gfx::doPatternFill, Gfx::doTilingPatternFill, SplashOutputDev::tilingPatternFill, into Splash::drawImage, and finally to the crashing point at SplashOutputDev::tilingBitmapSrc. This confirms the overflow is triggered during normal PDF rendering when the engine encounters a crafted tiling pattern.

The AddressSanitizer output confirmed a heap buffer overflow on a write of size 1, occurring immediately after a 1,699,176 byte region allocated by malloc. This confirms the undersized allocation followed by out of bounds write pattern.

Attack Flow

The exploitation path is straightforward and requires no authentication or special privileges:

  1. An attacker crafts a malicious PDF file containing a /Pattern object with manipulated /Matrix and /BBox values designed to trigger the integer overflow in the dimension calculations.
  2. The attacker delivers this PDF to a victim via email, web download, or any other file transfer mechanism.
  3. When the victim opens the PDF in any application using Poppler's Splash backend (Evince, Okular, pdftoppm, etc.), the rendering engine processes the tiling pattern.
  4. The tilingPatternFill function computes result_width and result_height, which overflow due to the crafted values.
  5. An undersized heap buffer is allocated based on the overflowed (wrapped around) dimensions.
  6. The subsequent image rendering writes data beyond the allocated buffer, corrupting heap memory.
  7. Depending on heap layout and exploitation technique, this can lead to arbitrary code execution, information disclosure, or denial of service within the context of the application processing the PDF.

The attack vector is network/remote with low attack complexity. The upstream GitLab issue provides a reproduction command: pdftoppm -png ./reproducer-oob.pdf output -r 2500.

Affected Systems and Versions

All versions of Poppler prior to 26.05.0 (released May 3, 2026) that use the Splash rendering backend are affected. The upstream fix is incorporated into Poppler 26.05.0.

Applications linked against vulnerable versions of Poppler's Splash backend include:

ApplicationBindingDesktop/Platform
EvinceGLibGNOME
OkularQt5KDE
GIMPGTKCross platform
InkscapeGTKCross platform
LibreOffice 4.xGTKCross platform
ZathuraGTKLightweight
pdftoppm, pdftotext, pdftohtmlCLICommand line utilities

The poppler-utils package, bundled with most Linux distributions, provides command line tools (pdfattach, pdfdetach, pdffonts, pdfimages, pdfinfo, pdfseparate, pdftocairo, pdftohtml, pdftoppm, pdftops, pdftotext, pdfunite) that are widely used in automated document processing pipelines.

As of June 1, 2026, distribution level patches specifically addressing CVE-2026-10118 have not yet been confirmed for RHEL, Debian, or Ubuntu. Earlier 2026 RHSAs for Poppler (RHSA-2026:0126, RHSA-2026:0774, RHSA-2026:0795, RHSA-2026:0773) address CVE-2025-32365, not this vulnerability.

Vendor Security History

Poppler has accumulated at least 27 CVEs according to CVEDetails, with a recurring pattern of memory corruption vulnerabilities triggered by crafted PDF input. The Splash backend has been a repeated source of these issues:

CVEYearTypeDescription
CVE-2013-17892013NULL pointer dereferenceDenial of service via crafted input in splash/Splash.cc
CVE-2017-94062017Memory leakDenial of service via gmalloc in gmem.cc
CVE-2020-357022020Heap based buffer overflowDCTStream::getChars in DCTStream.cc
CVE-2025-323652025Out of bounds readCrafted PDF triggering OOB read in Poppler
CVE-2025-504222025Assertion failureCairo assertion failure via Poppler through 25.08.0
CVE-2026-101182026Integer overflow to heap buffer overflowtilingPatternFill in Splash backend

The recurrence of heap based buffer overflows and out of bounds access vulnerabilities, particularly in the Splash backend (CVE-2013-1789, CVE-2020-35702, CVE-2026-10118), indicates a persistent attack surface in Poppler's handling of complex PDF structures. Neither the Splash nor Cairo backend is inherently safer; CVE-2025-50422 demonstrates that the Cairo path has its own vulnerability history. This pattern suggests that organizations should implement defense in depth for all PDF processing rather than relying solely on patching individual CVEs.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization