Source: okular Version: 4:26.04.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi >From https://kde.org/info/security/advisory-20260511-4.txt KDE Project Security Advisory ============================= Title: Okular: unsigned integer wrap-around in fax backend leads to heap out-of-bounds read and write Risk Rating: Critical CVE: PENDING Versions: Okular <= 26.04.0 Author: George Karagiannidis Date: 11 May 2026 Overview ======== Okular is a universal document viewer. The fax backend in generators/fax/faxdocument.cpp subtracts a fixed value from unsigned length variables in its Ghostscript / PC Research header handling without first checking that the values are large enough. On a short crafted input the subtraction wraps around to a very large unsigned integer, which is then passed as a length to a routine that performs read/write operations across the wrapped range. Impact ====== Opening a crafted fax file triggers unsigned integer wrap-around, causing the fax parser to perform heap out-of-bounds reads and writes across a large memory range. This can be exploited to achieve code execution by enticing the victim to open a malicious .g3 or .g4 file. Workaround ========== Do not open untrusted .g3 or .g4 fax files in vulnerable Okular builds. Solution ======== Update Okular >= 26.04.1 or apply https://commits.kde.org/okular/e5f088674223019fafac26800a2ae0c0d6afc85b Credits ======= Thanks to George Karagiannidis from TwelveSec for reporting this issue. Regards, Salvatore
