HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-10118Published Modified CNA redhat

CVE-2026-10118: Poppler: integer overflow in poppler splashoutputdev::tilingpatternfill leads to heap buffer overflow via unchecked dimension multiplication

A flaw was found in Poppler's Splash backend. A remote attacker could exploit this vulnerability by crafting a malicious PDF file that, when rendered, triggers an integer overflow in the `tilingPatternFill` function. This overflow leads to an undersized heap memory allocation, allowing a subsequent out-of-bounds write. Successful exploitation could result in arbitrary code execution, information disclosure, or denial of service within the context of the application processing the PDF.

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
Affected Products
7

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An integer overflow vulnerability in Poppler's Splash rendering backend (the SplashOutputDev::tilingPatternFill function) allows a crafted PDF file to trigger an undersized heap allocation followed by an out-of-bounds write. The attack is local in vector but requires the victim to open a malicious PDF, and no authentication is needed beyond convincing the user to render the file. Successful exploitation gives the attacker arbitrary code execution, the ability to read sensitive in-process data, or the ability to crash the application processing the PDF. No upstream fix version has been published yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available the moment an upstream fix ships.

HarborGuard Coverage

Detection

Detection for CVE-2026-10118 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Red Hat's advisory stream) within minutes of publication and matched against all customer images, including custom-built images that bundle Poppler or any library linking against it.

Available
Triage

HarborGuard scores this CVE at 7.8 HIGH per the CVSS v3.1 vector and surfaces it alongside per-environment compliance policy weighting, so teams with stricter policies on code-execution vulnerabilities see it prioritized accordingly. Triage alerts are routed to the inbox configured for each customer org, whether that is a security team queue, a Slack channel, or a ticketing integration.

Available
Patch

Because no fix version has been published upstream, HarborGuard re-checks the Red Hat advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. In the interim, customers can apply compensating controls through HarborGuard's policy engine, such as network-policy isolation for workloads that process untrusted PDFs or feature-flag gating to disable Poppler-dependent rendering paths.

Pending upstream

Exploit Conditions

  • Network reachabilityNot required

    The CVSS vector is AV:L, meaning the attacker does not need network access; an existing shell or process on the host, or delivery of a malicious file to a local user, is sufficient.

  • AuthenticationNot required

    PR:N indicates no account or credential on the target system is required to stage the attack.

  • Victim interactionRequired

    UI:R means a human user must take an action, specifically opening or rendering the crafted PDF file, for the exploit to trigger.

  • Attack complexityDetail

    AC:L indicates the exploit is reliable and condition-free once the victim opens the file, with no race conditions or special memory layout requirements needed.

Blast Radius

  • Executes arbitrary code in the context of the application processing the PDF, giving the attacker full control over that process.
  • Reads in-process memory contents, which may include session tokens, credentials, or document data loaded by the application.
  • Writes to out-of-bounds heap memory, corrupting adjacent allocations and potentially pivoting to broader process compromise.
  • Crashes the PDF-processing application entirely, causing a denial of service for any workflow depending on that rendering path.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the Red Hat advisory for CVE-2026-10118 across every ingest cycle, with automatic image matching against all Poppler-bundling images in customer registries and pipelines. Because no upstream fix version exists today, no patched-image rebuild is yet available, but the rebuild will be queued and made available automatically the moment Red Hat or another upstream source publishes a fix. For environments with auto-remediation enabled, that rebuild will trigger a regression-test run and a PR opened against affected workloads with no manual intervention required. In the meantime, compensating controls are available through HarborGuard's policy engine: consider network-policy isolation for workloads that accept or render untrusted PDFs, egress filtering to limit blast radius if a process is compromised, and feature-flag gating to disable Poppler-dependent rendering paths where the application supports it.

See how HarborGuard automates this
Affected packages
  • Red Hat / Red Hat Enterprise Linux 10
  • Red Hat / Red Hat Enterprise Linux 6
  • Red Hat / Red Hat Enterprise Linux 7
  • Red Hat / Red Hat Enterprise Linux 7
  • Red Hat / Red Hat Enterprise Linux 8
  • Red Hat / Red Hat Enterprise Linux 9
  • Red Hat / Red Hat Hardened Images
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References