Home

Description

A flaw has been found in Artifex MuPDF up to 1.26.1 on Windows. The impacted element is the function get_system_dpi of the file platform/x11/win_main.c. This manipulation causes uncontrolled search path. The attack requires local access. The attack is considered to have high complexity. The exploitability is regarded as difficult. Upgrading to version 1.26.2 is sufficient to resolve this issue. Patch name: ebb125334eb007d64e579204af3c264aadf2e244. Upgrading the affected component is recommended.

PUBLISHED Reserved 2026-02-08 | Published 2026-02-10 | Updated 2026-02-10 | Assigner VulDB




HIGH: 7.3CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X
HIGH: 7.0CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:O/RC:C
HIGH: 7.0CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:O/RC:C
6.0AV:L/AC:H/Au:S/C:C/I:C/A:C/E:ND/RL:OF/RC:C

Problem types

Uncontrolled Search Path

Untrusted Search Path

Product status

1.26.0
affected

1.26.1
affected

1.26.2
unaffected

Timeline

2025-08-04:Countermeasure disclosed
2026-02-08:Advisory disclosed
2026-02-08:VulDB entry created
2026-02-08:VulDB entry last update

Credits

nmaochea (VulDB User) reporter

References

vuldb.com/?id.344924 (VDB-344924 | Artifex MuPDF win_main.c get_system_dpi uncontrolled search path) vdb-entry technical-description

vuldb.com/?ctiid.344924 (VDB-344924 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/?submit.750978 (Submit #750978 | Artifex Software MuPDF 1.26.2 Uncontrolled Search Path) third-party-advisory

cgit.ghostscript.com/...25334eb007d64e579204af3c264aadf2e244 patch

casper.mupdf.com/downloads/archive/mupdf-1.26.2-windows.zip patch

artifex.com/ product

cve.org (CVE-2025-15569)

nvd.nist.gov (CVE-2025-15569)

Download JSON