CVE-2026-10118 - Vulnerability Details

- Poppler: integer overflow in poppler splashoutputdev::tilingpatternfill leads to heap buffer overflow via unchecked dimension multiplication

Description

A flaw was found in Poppler's Splash backend. A remote attacker could exploit this vulnerability by crafting a malicious PDF file that, when rendered, triggers an integer overflow in the `tilingPatternFill` function. This overflow leads to an undersized heap memory allocation, allowing a subsequent out-of-bounds write. Successful exploitation could result in arbitrary code execution, information disclosure, or denial of service within the context of the application processing the PDF.

Published: 2026-06-01

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Red Hat

Red Hat Enterprise Linux 10

affected

Version	Status	Constraints
`0:24.02.0-7.el10_2.2`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 10.0 Extended Update Support

affected

Version	Status	Constraints
`0:24.02.0-7.el10_0.1`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 7 Extended Lifecycle Support

affected

Version	Status	Constraints
`0:0.22.5-7.el7_9`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 7 Extended Lifecycle Support

affected

Version	Status	Constraints
`0:0.26.5-44.el7_9`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 8

affected

Version	Status	Constraints
`0:20.11.0-14.el8_10`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support

affected

Version	Status	Constraints
`0:20.11.0-2.el8_4.3`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

affected

Version	Status	Constraints
`0:20.11.0-2.el8_4.3`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support

affected

Version	Status	Constraints
`0:20.11.0-5.el8_6.1`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 8.6 Extended Update Support Long-Life Add-On

affected

Version	Status	Constraints
`0:20.11.0-5.el8_6.1`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 8.8 Telecommunications Update Service

affected

Version	Status	Constraints
`0:20.11.0-7.el8_8.1`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions

affected

Version	Status	Constraints
`0:20.11.0-7.el8_8.1`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 9

affected

Version	Status	Constraints
`0:21.01.0-24.el9_8.1`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

affected

Version	Status	Constraints
`0:21.01.0-15.el9_2.1`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 9.4 Update Services for SAP Solutions

affected

Version	Status	Constraints
`0:21.01.0-20.el9_4.1`	unaffected	< *

Red Hat

Red Hat Enterprise Linux 9.6 Extended Update Support

affected

Version	Status	Constraints
`0:21.01.0-22.el9_6.1`	unaffected	< *

Red Hat

Red Hat AI Inference Server 3.3

affected

Version	Status	Constraints
`1782352950`	unaffected	< *

Red Hat

Red Hat AI Inference Server 3.3

affected

Version	Status	Constraints
`1782352919`	unaffected	< *

Red Hat

Red Hat AI Inference Server 3.3

affected

Version	Status	Constraints
`1782353093`	unaffected	< *

Red Hat

Red Hat AI Inference Server 3.3

affected

Version	Status	Constraints
`1782352847`	unaffected	< *

Red Hat

Red Hat Hardened Images

affected

Version	Status	Constraints
`26.06.0-0.1.hum1`	unaffected	< *

Red Hat Red Hat Enterprise Linux 6 unaffected —

No data.

Vendor Product Confidence Versions

Redhat

Enterprise Linux

100%

Version	Status	Scheme	Platform
`—`	affected	—	—

Redhat

Hardened Images

95%

Version	Status	Scheme	Platform
`—`	affected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Workaround

To mitigate this issue, users should avoid opening untrusted or suspicious PDF documents with applications that utilize the Poppler library for rendering. Limiting exposure to untrusted content can reduce the risk of exploitation.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6334-1	poppler security update
Ubuntu USN	USN-8400-1	poppler vulnerability

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00252.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://access.redhat.com/errata/RHSA-2026:24984
https://access.redhat.com/errata/RHSA-2026:24985
https://access.redhat.com/errata/RHSA-2026:25058
https://access.redhat.com/errata/RHSA-2026:27720
https://access.redhat.com/errata/RHSA-2026:27721
https://access.redhat.com/errata/RHSA-2026:27722
https://access.redhat.com/errata/RHSA-2026:27723
https://access.redhat.com/errata/RHSA-2026:27724
https://access.redhat.com/errata/RHSA-2026:27725
https://access.redhat.com/errata/RHSA-2026:27727
https://access.redhat.com/errata/RHSA-2026:29952
https://access.redhat.com/errata/RHSA-2026:30044
https://access.redhat.com/errata/RHSA-2026:30078
https://access.redhat.com/errata/RHSA-2026:30087
https://access.redhat.com/errata/RHSA-2026:30088
https://access.redhat.com/errata/RHSA-2026:30089
https://access.redhat.com/errata/RHSA-2026:30134
https://access.redhat.com/security/cve/CVE-2026-10118
https://bugzilla.redhat.com/show_bug.cgi?id=2460428
https://gitlab.freedesktop.org/poppler/poppler/-/work_items/1715
https://nvd.nist.gov/vuln/detail/CVE-2026-10118
https://www.cve.org/CVERecord?id=CVE-2026-10118

History

Sat, 27 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
References		https://access.redhat.com/errata/RHSA-2026:30134

Sat, 27 Jun 2026 08:15:00 +0000

Type	Values Removed	Values Added
References		https://access.redhat.com/errata/RHSA-2026:30087 https://access.redhat.com/errata/RHSA-2026:30088 https://access.redhat.com/errata/RHSA-2026:30089

Fri, 26 Jun 2026 07:45:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/o:redhat:enterprise_linux:7~~
References		https://access.redhat.com/errata/RHSA-2026:30044

Thu, 25 Jun 2026 20:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat ai Inference Server
CPEs		cpe:/a:redhat:ai_inference_server:3.3::el9
Vendors & Products		Redhat ai Inference Server
References		https://access.redhat.com/errata/RHSA-2026:30078

Thu, 25 Jun 2026 15:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Els
CPEs		cpe:/o:redhat:rhel_els:7
Vendors & Products		Redhat rhel Els
References		https://access.redhat.com/errata/RHSA-2026:29952

Mon, 22 Jun 2026 08:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Eus
CPEs		cpe:/a:redhat:rhel_e4s:9.2::appstream cpe:/a:redhat:rhel_e4s:9.4::appstream cpe:/a:redhat:rhel_eus:9.6::appstream cpe:/a:redhat:rhel_eus:9.6::crb
Vendors & Products		Redhat rhel Eus
References		https://access.redhat.com/errata/RHSA-2026:27721 https://access.redhat.com/errata/RHSA-2026:27722 https://access.redhat.com/errata/RHSA-2026:27723

Mon, 22 Jun 2026 04:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat enterprise Linux Eus Redhat rhel E4s Redhat rhel Tus
CPEs		cpe:/a:redhat:rhel_aus:8.6::appstream cpe:/a:redhat:rhel_e4s:8.8::appstream cpe:/a:redhat:rhel_eus_long_life:8.6::appstream cpe:/a:redhat:rhel_tus:8.8::appstream cpe:/o:redhat:enterprise_linux_eus:10.0
Vendors & Products		Redhat enterprise Linux Eus Redhat rhel E4s Redhat rhel Tus
References		https://access.redhat.com/errata/RHSA-2026:27720 https://access.redhat.com/errata/RHSA-2026:27724 https://access.redhat.com/errata/RHSA-2026:27725

Mon, 22 Jun 2026 03:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Aus Redhat rhel Eus Long Life
CPEs		cpe:/a:redhat:rhel_aus:8.4::appstream cpe:/a:redhat:rhel_eus_long_life:8.4::appstream
Vendors & Products		Redhat rhel Aus Redhat rhel Eus Long Life
References		https://access.redhat.com/errata/RHSA-2026:27727

Wed, 10 Jun 2026 12:15:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/o:redhat:enterprise_linux:9~~	cpe:/a:redhat:enterprise_linux:9::appstream cpe:/a:redhat:enterprise_linux:9::crb
References		https://access.redhat.com/errata/RHSA-2026:25058

Wed, 10 Jun 2026 11:00:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/o:redhat:enterprise_linux:10~~

Wed, 10 Jun 2026 09:45:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/o:redhat:enterprise_linux:8~~	cpe:/a:redhat:enterprise_linux:8::appstream cpe:/a:redhat:enterprise_linux:8::crb cpe:/o:redhat:enterprise_linux:10.2
References		https://access.redhat.com/errata/RHSA-2026:24984 https://access.redhat.com/errata/RHSA-2026:24985

Wed, 03 Jun 2026 02:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat hardened Images
Vendors & Products		Redhat hardened Images

Tue, 02 Jun 2026 12:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-10118 https://www.cve.org/CVERecord?id=CVE-2026-10118
Metrics	threat_severity `None`	threat_severity `Important`

Mon, 01 Jun 2026 21:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 01 Jun 2026 17:00:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in Poppler's Splash backend. A remote attacker could exploit this vulnerability by crafting a malicious PDF file that, when rendered, triggers an integer overflow in the `tilingPatternFill` function. This overflow leads to an undersized heap memory allocation, allowing a subsequent out-of-bounds write. Successful exploitation could result in arbitrary code execution, information disclosure, or denial of service within the context of the application processing the PDF.
Title		Poppler: integer overflow in poppler splashoutputdev::tilingpatternfill leads to heap buffer overflow via unchecked dimension multiplication
First Time appeared		Redhat Redhat enterprise Linux Redhat hummingbird
Weaknesses		CWE-190
CPEs		cpe:/a:redhat:hummingbird:1 cpe:/o:redhat:enterprise_linux:10 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:8 cpe:/o:redhat:enterprise_linux:9
Vendors & Products		Redhat Redhat enterprise Linux Redhat hummingbird
References		https://access.redhat.com/security/cve/CVE-2026-10118 https://bugzilla.redhat.com/show_bug.cgi?id=2460428 https://gitlab.freedesktop.org/poppler/poppler/-/work_items/1715
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}`

Subscriptions

Redhat Ai Inference Server Enterprise Linux Enterprise Linux Eus Hardened Images Hummingbird Rhel Aus Rhel E4s Rhel Els Rhel Eus Rhel Eus Long Life Rhel Tus

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2026-06-01T15:33:39.670Z

Updated: 2026-06-27T08:21:12.170Z

Reserved: 2026-05-29T17:18:50.666Z

Link: CVE-2026-10118

Vulnrichment

Updated: 2026-06-01T19:34:07.472Z

NVD

Status : Awaiting Analysis

Published: 2026-06-01T17:16:39.500

Modified: 2026-06-10T12:16:24.837

Link: CVE-2026-10118

Redhat

Severity : Important

Publid Date: 2026-06-01T15:25:35Z

Links: CVE-2026-10118 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-02T20:54:21Z

Weaknesses

CWE-190

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object