Coordinated Disclosure Timeline

Summary

poppler uses std::atomic_int for reference counting. Because it is only 32 bits, it is possible to overflow the reference count and trigger a use-after-free.

Project

poppler

Tested Version

25.02.0

Details

Use-after-free due to reference count integer overflow (GHSL-2025-054)

poppler uses the type std::atomic_int for reference counting in four locations:

  1. Annot.h
  2. Array.h
  3. Dict.h
  4. Stream.h

Because std::atomic_int is only 32 bits, it’s possible to overflow one of these reference counts, which can lead to a use-after-free memory corruption vulnerability.

We have included a proof of concept which triggers an integer overflow on the reference count in Annot.h. The poc file is only 3.1KB in size, but contains a stream which decompresses to an array of annotations of size 0x1000000. That array is referenced by 0x100 pages, which causes the reference count on the annotation to be incremented 0x100000000 times, so it wraps around to zero and the annotation is deleted. Run the poc like this:

pdftohtml GHSL-2025-054_poppler_refcount.pdf

Impact

It’s possible that this use-after-free bug could be exploited to achieve code execution in poppler. However, in our testing it took 12 hours to trigger the use-after-free, so in practice the risk of exploitation is low.

CWEs

CVE

Credit

This issue was discovered and reported by GHSL team member @kevinbackhouse (Kevin Backhouse).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2025-054 in any communication regarding this issue.