Integer Overflow or Wraparound Affecting poppler-utils package, versions <0:21.01.0-24.el9_8.1


Severity

Recommended
0.0
high
0
10

Based on Red Hat Enterprise Linux security rating.

Threat Intelligence

Social Trends
EPSS
0.25% (17th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RHEL9-POPPLERUTILS-17305960
  • published11 Jun 2026
  • disclosed1 Jun 2026

Introduced: 1 Jun 2026

CVE-2026-10118  (opens in a new tab)
CWE-190  (opens in a new tab)

How to fix?

Upgrade RHEL:9 poppler-utils to version 0:21.01.0-24.el9_8.1 or higher.
This issue was patched in RHSA-2026:25058.

NVD Description

Note: Versions mentioned in the description apply only to the upstream poppler-utils package and not the poppler-utils package as distributed by RHEL. See How to fix? for RHEL:9 relevant fixed versions and status.

A flaw was found in Poppler's Splash backend. A remote attacker could exploit this vulnerability by crafting a malicious PDF file that, when rendered, triggers an integer overflow in the tilingPatternFill function. This overflow leads to an undersized heap memory allocation, allowing a subsequent out-of-bounds write. Successful exploitation could result in arbitrary code execution, information disclosure, or denial of service within the context of the application processing the PDF.

CVSS Base Scores

version 3.1