GHSL-2025-054: Use After Free (UAF) in Poppler - CVE-2025-52886

[Alan Coopersmith <alan.coopersmith () oracle com>]

https://securitylab.github.com/advisories/GHSL-2025-054_poppler/ advises:

> July 1, 2025
> GHSL-2025-054: Use After Free (UAF) in Poppler - CVE-2025-52886
> Author Kevin Backhouse
>
> Coordinated Disclosure Timeline
>
>     2025-04-03: Reported as a private issue:
>         https://gitlab.freedesktop.org/poppler/poppler/-/issues/1581
>     2025-06-02: Fixed by limiting the maximum number of annots:
>         https://gitlab.freedesktop.org/poppler/poppler/-/merge_requests/1828
>     2025-06-03: Issue made publicly visible:
>         https://gitlab.freedesktop.org/poppler/poppler/-/issues/1581
>     2025-06-03: Poppler 25.06.0 released:
>         https://gitlab.freedesktop.org/poppler/poppler/-/tree/poppler-25.06.0?ref_type=tags
>
> Summary
>
> poppler uses std::atomic_int for reference counting. Because it is only 32 bits,
> it is possible to overflow the reference count and trigger a use-after-free.
>
>
> Project
>
> poppler
>
>
> Tested Version
>
> 25.02.0
>
>
> Details
>
> Use-after-free due to reference count integer overflow (GHSL-2025-054)
>
> poppler uses the type std::atomic_int for reference counting in four locations:
>
>     Annot.h
>     Array.h
>     Dict.h
>     Stream.h
>
> Because std::atomic_int is only 32 bits, it’s possible to overflow one of these
> reference counts, which can lead to a use-after-free memory corruption
> vulnerability.
>
> We have included a proof of concept which triggers an integer overflow on the
> reference count in Annot.h. The poc file is only 3.1KB in size, but contains a
> stream which decompresses to an array of annotations of size 0x1000000. That
> array is referenced by 0x100 pages, which causes the reference count on the
> annotation to be incremented 0x100000000 times, so it wraps around to zero and
> the annotation is deleted. Run the poc like this:
>
>     pdftohtml GHSL-2025-054_poppler_refcount.pdf
>
>
> Impact
>
> It’s possible that this use-after-free bug could be exploited to achieve code
> execution in poppler. However, in our testing it took 12 hours to trigger the
> use-after-free, so in practice the risk of exploitation is low.
>
>
> CWEs
>
>     CWE-190: “Integer Overflow or Wraparound”
>     CWE-416: “Use After Free”
>     CWE-911: “Improper Update of Reference Count”
>
>
> CVE
>
>     CVE-2025-52886
>
>
> Credit
>
> This issue was discovered and reported by GHSL team member @kevinbackhouse
> (Kevin Backhouse).
>
>
> Contact
>
> You can contact the GHSL team at securitylab () github com, please include a
> reference to GHSL-2025-054 in any communication regarding this issue.

--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris