CVE-2024-56378

libpoppler.so in Poppler through 24.12.0 has an out-of-bounds read vulnerability within the JBIG2Bitmap::combine function in JBIG2Stream.cc.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
mitreCNA
---
---
CISA-ADPADP
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 56%
VendorProductVersion
freedesktoppoppler
𝑥
≤ 24.12.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
poppler
bullseye
vulnerable
bullseye (security)
20.09.0-3.1+deb11u2
fixed
bookworm
22.12.0-2+deb12u1
fixed
trixie
25.03.0-5+deb13u2
fixed
forky
25.03.0-11.1
fixed
sid
25.03.0-11.1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
poppler
oracular
Fixed 24.08.0-1ubuntu0.1
released
noble
Fixed 24.02.0-1ubuntu9.2
released
jammy
Fixed 22.02.0-2ubuntu0.6
released
focal
Fixed 0.86.1-0ubuntu1.5
released
bionic
Fixed 0.62.0-2ubuntu2.14+esm4
released
xenial
Fixed 0.41.0-0ubuntu1.16+esm5
released
Common Weakness Enumeration
References
https://gitlab.freedesktop.org/poppler/poppler/-/blob/30eada0d2bceb42c2d2a87361339063e0b9bea50/CMakeLists.txt#L621
https://gitlab.freedesktop.org/poppler/poppler/-/commit/ade9b5ebed44b0c15522c27669ef6cdf93eff84e
https://gitlab.freedesktop.org/poppler/poppler/-/issues/1553
https://lists.debian.org/debian-lts-announce/2025/04/msg00037.html