CVE-2021-25786

MEDIUM

qpdf 10.0.4 - Use-After-Free in Pl_ASCII85Decoder::write

Title source: llm
STIX 2.1

Description

An issue was discovered in QPDF version 10.0.4, allows remote attackers to execute arbitrary code via crafted .pdf file to Pl_ASCII85Decoder::write parameter in libqpdf.

References (2)

Core 2
Core References
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2023/08/msg00037.html
Exploit, Issue Tracking, Patch
https://github.com/qpdf/qpdf/issues/492

Scores

CVSS v3 5.3
EPSS 0.0050
EPSS Percentile 39.3%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-416
Status published
Products (1)
qpdf_project/qpdf 10.0.4
Published Aug 11, 2023
Tracked Since Feb 18, 2026