Poppler is a PDF rendering library. Versions prior to 25.06.0 use std::atomic_int for reference counting. Because std::atomic_int is only 32 bits, it is possible to overflow the reference count and trigger a use-after-free. Version 25.06.0 patches the issue.
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory “belongs” to the code that operates on the new pointer.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Poppler | Ubuntu | devel | * |
| Poppler | Ubuntu | esm-infra/bionic | * |
| Poppler | Ubuntu | esm-infra/focal | * |
| Poppler | Ubuntu | esm-infra/xenial | * |
| Poppler | Ubuntu | jammy | * |
| Poppler | Ubuntu | noble | * |
| Poppler | Ubuntu | oracular | * |
| Poppler | Ubuntu | plucky | * |
| Poppler | Ubuntu | upstream | * |