CVE-2023-3436 : Xpdf 4.04 will deadlock on a PDF object stream whose "Length" field is itself in

Xpdf 4.04 will deadlock on a PDF object stream whose "Length" field is itself in another object stream.

Published 2023-06-27 21:15:16

Updated 2023-07-06 16:00:58

Source Glyph & Cog, LLC

View at NVD, CVE.org

Products affected by CVE-2023-3436

Xpdfreader » Xpdf » Version: 4.04
cpe:2.3:a:xpdfreader:xpdf:4.04:*:*:*:*:*:*:*
Matching versions

EPSS FAQ

0.01%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 1 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
3.3	LOW	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L	1.8	1.4	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: None Availability: Low
3.3	LOW	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L	1.8	1.4	Glyph & Cog, LLC
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: None Availability: Low

CWE-667 Improper Locking

The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.

Assigned by: nvd@nist.gov (Primary)
CWE-833 Deadlock

The product contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.

Assigned by: xpdf@xpdfreader.com (Secondary)

https://forum.xpdfreader.com/viewtopic.php?t=42618

xpdf-4.04/xpdf/XRef.cc: XRef::getObjectStreamObject - forum.xpdfreader.com
Issue Tracking

Jump to