July 17, 2026
CVE-2026-10119: Integer Overflow in Poppler’s PDF Rendering Engine Enables Code Execution

By CyberPodcast
2 min read
A high-severity vulnerability in Poppler's Splash rendering backend lets attackers craft malicious PDF files that trigger an integer overflow, potentially leading to arbitrary code execution when the file is simply opened for viewing.[nvd.nist]
What Is Poppler
Poppler is a widely used open-source PDF rendering library that powers document viewing in countless Linux applications, including Evince, Okular, and many PDF-to-image conversion tools. Its Splash backend handles the low-level graphics rendering work, translating PDF drawing instructions like fills, patterns, and shading into actual pixel output.
The Vulnerability Explained
The flaw resides in the tilingPatternFill function within Poppler's Splash backend, a component responsible for rendering repeating tile patterns used to fill shapes in PDF documents. When Poppler processes a specially crafted PDF containing a malicious tiling pattern definition, it triggers an integer overflow during a size calculation, a defect classified under CWE-190, Integer Overflow or Wraparound.[nvd.nist]
This overflow causes the function to allocate a heap buffer that is smaller than what the subsequent rendering operation actually requires. Because the allocation undersizes the buffer, the rendering code goes on to write data past the buffer's true boundaries, resulting in an out-of-bounds heap write once the pattern is actually drawn.[nvd.nist]
Severity and Scoring
Red Hat and NVD both classify this as a high-severity issue, given the potential for full compromise of the process rendering the malicious PDF. CVSS v3.1 rates the flaw at 7.8, High, using the vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, meaning the attack requires local access and user interaction such as opening the file, but no privileges, and results in high impact to confidentiality, integrity, and availability alike. An older CVSS v2 assessment scores it similarly at 7.2, High. As of publication, NVD had marked the record as "Awaiting Enrichment" without a finalized CVSS v4.0 vector, though Red Hat contributed the initial severity data as the assigning authority.[nvd.nist]
The vulnerability was published on June 1, 2026 and last modified on June 29, 2026, with Red Hat serving as the reporting source given Poppler's presence across numerous enterprise Linux distributions.[nvd.nist]
How an Attacker Exploits It
Exploitation begins with an attacker crafting a malicious PDF that embeds a tiling pattern with parameters specifically designed to overflow the integer calculation inside tilingPatternFill. The victim then needs to open or render this PDF using any application built on the vulnerable Poppler library, satisfying the user-interaction requirement reflected in the CVSS vector.[nvd.nist]
Once the file is rendered, the undersized heap allocation triggers an out-of-bounds write during the actual pattern-filling operation. Depending on how memory is laid out at the time, successful exploitation can lead to arbitrary code execution within the context of the viewing application, disclosure of sensitive information from adjacent memory, or simply a crash resulting in denial of service.[nvd.nist]
Who Is Affected
Because Poppler underpins PDF handling across a huge swath of the Linux desktop and server ecosystem, the practical exposure is broad. Red Hat has issued more than a dozen separate security advisories covering this flaw across its product lines, spanning numerous RHSA bulletins tied to different Red Hat Enterprise Linux versions and component packages that bundle Poppler. Any distribution or application shipping an unpatched Poppler build with Splash-based rendering enabled should be considered at risk.[nvd.nist]
Remediation Guidance
Red Hat has already released multiple errata addressing this issue across its supported product lines, making patching the clear priority for affected systems.
- Apply the relevant Red Hat security errata for your specific product line, referenced across RHSA-2026:24984 through RHSA-2026:30134.[nvd.nist]
- Update Poppler to a version incorporating the fix tracked in the upstream GitLab issue for this defect.[nvd.nist]
- Avoid opening untrusted or unsolicited PDF files in applications built on vulnerable Poppler versions until patched.[nvd.nist]
- Consider rendering untrusted PDFs in a sandboxed environment or dedicated viewer with restricted privileges as a compensating control.
- Track the Red Hat Bugzilla entry for this issue to confirm patch availability for your specific distribution package.[nvd.nist]
Why This Matters
PDF rendering libraries sit in an unusually exposed position, since opening a document is one of the most routine, low-suspicion actions a user can take, making memory-corruption bugs in this class of software especially attractive to attackers running phishing or drive-by campaigns. With Red Hat issuing over a dozen distinct advisories to cover this single flaw across its ecosystem, the scale of Poppler's footprint underscores why prompt patching matters far beyond just PDF viewer applications themselves.[nvd.nist]