CVE-2026-44348 | THREATINT

Description

PoDoFo is a C++17 PDF manipulation library. From 1.0.0 to before 1.0.4, a double-free vulnerability exists in compute_hash_to_sign() in src/podofo/private/OpenSSLInternal_Ripped.cpp. If EVP_DigestFinal fails after buf has already been freed, the Error label frees buf a second time, causing heap corruption. This vulnerability is fixed in 1.0.4.

PUBLISHED Reserved 2026-05-05 | Published 2026-05-14 | Updated 2026-05-14 | Assigner GitHub_M

LOW: 2.5CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L

Problem types

CWE-415: Double Free

Product status

>= 1.0.0, < 1.0.4

affected

References

github.com/...podofo/security/advisories/GHSA-8fq6-rqpv-xq72 exploit

github.com/...podofo/security/advisories/GHSA-8fq6-rqpv-xq72

github.com/...ommit/696d765c3a71ef224d4abffe1f174fef11292d7e

cve.org (CVE-2026-44348)

nvd.nist.gov (CVE-2026-44348)

Download JSON