CVE-2025-32365: Poppler Security Vulnerability - Out-Of-Bounds Read in JBIG2Stream

The popular PDF rendering library, Poppler, which is used in many applications such as Evince, okular and pdftohtml to name a few, has been recently identified by security researchers with an out-of-bounds read vulnerability. We will discuss the vulnerability (CVE-2025-32365) in detail, provide code snippets, and point to the original references and links. Additionally, we will briefly discuss how an attacker could exploit this vulnerability and what can be done to mitigate it.

Vulnerability Details

The vulnerability in question affects Poppler versions prior to 25.04., allowing a threat actor to use specifically crafted input files to trigger an out-of-bounds read in the JBIG2Bitmap::combine function, which is located in the JBIG2Stream.cc file. This issue occurs due to a misplaced isOk check. An out-of-bounds read can lead to the leakage of sensitive data and potentially impact the availability, integrity, and confidentiality of the affected systems.

Here's a code snippet from the vulnerable JBIG2Stream.cc function

void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x, int y,
                          uint8_t *combinationOperator) {
  [...]
  int xx, yy;
  for (yy = ; yy < bitmap->h; ++yy) {
    if (isOk(yy + y)) {                                          // Problematic check
      for (xx = ; xx < bitmap->w; ++xx) {
	// Potential Out-of-Bounds Read
        uint32_t srcPixel = bitmap->getPixel(xx, yy);
	if (isOk(xx + x)) {                                      // Correct check
          uint32_t dstPixel = getPixel(xx + x, yy + y);
	  // Other operation
        }
      }
    }
  }
  [...]
}

Original References and Links

The vulnerability was reported and fixed by the Poppler team, and the information and discussions can be accessed at the following links:

1. CVE Details: https://nvd.nist.gov/vuln/detail/CVE-2025-32365
2. Poppler's Bugzilla entry: https://bugs.freedesktop.org/show_bug.cgi?id=141224
3. Poppler release notes and source code: https://poppler.freedesktop.org/releases.html

Potential Exploit Details

An attacker could potentially exploit this vulnerability by crafting a specific PDF file, which, when processed or rendered by a vulnerable Poppler-powered application, would trigger the out-of-bounds read in the JBIG2Bitmap::combine function. This could lead to a crash or the unexpected behavior of the rendering application, denial of service, or possible information leakage of sensitive data.

Mitigation and Solutions

To address and mitigate this vulnerability, users and developers are advised to update the Poppler library to version 25.04. or later by following the official release notes and source code available at:

- Poppler’s official release notes and source code: https://poppler.freedesktop.org/releases.html

Additionally, developers should ensure that they are using proper bounds-checking mechanisms and sanitizing user input to avoid potential out-of-bounds reads.

Conclusion

CVE-2025-32365 is a critical vulnerability that affects the Poppler PDF rendering library. By updating to the latest version (25.04. or later) and following best programming practices, developers can prevent this vulnerability from being exploited, thereby securing their applications and protecting users' sensitive information.

Timeline

Published on: 04/05/2025 22:15:19 UTC
Last modified on: 04/07/2025 14:17:50 UTC