Poppler Use-After-Free Vulnerability Due to Reference Count Integer Overflow

A use-after-free vulnerability has been identified in Poppler, a PDF rendering library, in versions prior to 25.06.0. The issue arises because the library uses 'std::atomic_int' for reference counting, which is limited to 32 bits. This limitation allows for an integer overflow in the reference count, leading to a use-after-free condition. The vulnerability can be exploited by crafting a PDF file that creates a large number of annotations, causing the reference count to overflow and free an object that is still in use.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, which may be exploited to execute arbitrary code within the Poppler library.

Reproduction

The vulnerability can be reproduced by using the 'pdftohtml' command-line tool included with Poppler. A proof-of-concept PDF file, 'GHSL-2025-054_poppler_refcount.pdf', can be used to trigger the vulnerability. This file contains a stream that decompresses into an array of annotations, which is then referenced by multiple pages, causing the reference count to overflow.

Remediation

Users can upgrade to Poppler version 25.06.0 or later, where this vulnerability has been fixed.