CVE-2025-46206

MEDIUM

Artifex MuPDF < 1.25.6 - Denial of Service via Infinite Recursion in mutool clean

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-46206. PoCs published by Landw-hub.

AI-analyzed exploit summary This repository describes a denial of service (DoS) vulnerability in MuPDF 1.25.6 and earlier versions, caused by infinite recursion in the `strip_outlines()` and `strip_outline()` functions when processing a malformed file. The vendor has acknowledged and patched the issue.

Description

An issue in Artifex mupdf 1.25.6, 1.25.5 allows a remote attacker to cause a denial of service via an infinite recursion in the `mutool clean` utility. When processing a crafted PDF file containing cyclic /Next references in the outline structure, the `strip_outline()` function enters infinite recursion

Exploits (1)

nomisec WRITEUP
by Landw-hub · poc
https://github.com/Landw-hub/CVE-2025-46206

This repository describes a denial of service (DoS) vulnerability in MuPDF 1.25.6 and earlier versions, caused by infinite recursion in the `strip_outlines()` and `strip_outline()` functions when processing a malformed file. The vendor has acknowledged and patched the issue.

Classification
Writeup 90%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: MuPDF <= 1.25.6
No auth needed
Prerequisites: MuPDF installation · ability to execute `mutool clean` command
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Scores

CVSS v3 6.5
EPSS 0.0039
EPSS Percentile 30.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-674
Status published
Products (1)
artifex/mupdf < 1.25.6
Published Aug 04, 2025
Tracked Since Feb 18, 2026