Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-7868

Summary
Assigner-GandC
Assigner Org ID-ace9cabe-4f4f-416b-8c39-b0e002761924
Published At-15 Aug, 2024 | 20:22
Updated At-06 Oct, 2025 | 22:31
Rejected At-
Credits

Uninitialized variable in Xpdf 4.05 due to invalid JPEG header

In Xpdf 4.05 (and earlier), invalid header info in a DCT (JPEG) stream can lead to an uninitialized variable in the DCT decoder. The proof-of-concept PDF file causes a segfault attempting to read from an invalid address.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GandC
Assigner Org ID:ace9cabe-4f4f-416b-8c39-b0e002761924
Published At:15 Aug, 2024 | 20:22
Updated At:06 Oct, 2025 | 22:31
Rejected At:
▼CVE Numbering Authority (CNA)
Uninitialized variable in Xpdf 4.05 due to invalid JPEG header

In Xpdf 4.05 (and earlier), invalid header info in a DCT (JPEG) stream can lead to an uninitialized variable in the DCT decoder. The proof-of-concept PDF file causes a segfault attempting to read from an invalid address.

Affected Products
Vendor
Xpdf
Product
Xpdf
Platforms
  • all
Default Status
unaffected
Versions
Affected
  • From 0 through 4.05 (Version)
Problem Types
TypeCWE IDDescription
CWECWE-457CWE-457: Use of Uninitialized Variable
Type: CWE
CWE ID: CWE-457
Description: CWE-457: Use of Uninitialized Variable
Metrics
VersionBase scoreBase severityVector
4.02.1LOW
CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Version: 4.0
Base score: 2.1
Base severity: LOW
Vector:
CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
KMFL
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.xpdfreader.com/security-bug/CVE-2024-7868.html
N/A
Hyperlink: https://www.xpdfreader.com/security-bug/CVE-2024-7868.html
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:xpdf@xpdfreader.com
Published At:15 Aug, 2024 | 21:15
Updated At:06 Oct, 2025 | 23:15

In Xpdf 4.05 (and earlier), invalid header info in a DCT (JPEG) stream can lead to an uninitialized variable in the DCT decoder. The proof-of-concept PDF file causes a segfault attempting to read from an invalid address.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.02.1LOW
CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.18.2HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Type: Secondary
Version: 4.0
Base score: 2.1
Base severity: LOW
Vector:
CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 8.2
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
CPE Matches
xpdfreader
xpdfreader
>>xpdf>>Versions before 4.06(exclusive)
cpe:2.3:a:xpdfreader:xpdf:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-457Secondaryxpdf@xpdfreader.com
CWE-908Primarynvd@nist.gov
CWE ID: CWE-457
Type: Secondary
Source: xpdf@xpdfreader.com
CWE ID: CWE-908
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.xpdfreader.com/security-bug/CVE-2024-7868.htmlxpdf@xpdfreader.com
Vendor Advisory
Hyperlink: https://www.xpdfreader.com/security-bug/CVE-2024-7868.html
Source: xpdf@xpdfreader.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

6Records found
CVE-2025-3154
Matching Score-8
Assigner-Glyph & Cog, LLC
ShareView Details
Matching Score-8
Assigner-Glyph & Cog, LLC
CVSS Score-2.1||LOW
EPSS-0.08% / 24.44%
||
7 Day CHG~0.00%
Published-02 Apr, 2025 | 22:18
Updated-07 Apr, 2025 | 14:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Out-of-bounds array write due to invalid VerticesPerRow in Xpdf 4.05

Out-of-bounds array write in Xpdf 4.05 and earlier, triggered by an invalid VerticesPerRow value in a PDF shading dictionary.

Action-Not Available
Vendor-Xpdf
Product-Xpdf
CWE ID-CWE-787
Out-of-bounds Write
CVE-2024-7867
Matching Score-8
Assigner-Glyph & Cog, LLC
ShareView Details
Matching Score-8
Assigner-Glyph & Cog, LLC
CVSS Score-2.1||LOW
EPSS-0.05% / 16.78%
||
7 Day CHG~0.00%
Published-15 Aug, 2024 | 20:06
Updated-28 Aug, 2024 | 21:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Integer overflow and divide-by-zero in Xpdf 4.05 due to bogus page box coordinates

In Xpdf 4.05 (and earlier), very large coordinates in a page box can cause an integer overflow and divide-by-zero.

Action-Not Available
Vendor-xpdfreaderXpdfxpdfreader
Product-xpdfXpdfxpdf
CWE ID-CWE-369
Divide By Zero
CWE ID-CWE-190
Integer Overflow or Wraparound
CVE-2024-7866
Matching Score-8
Assigner-Glyph & Cog, LLC
ShareView Details
Matching Score-8
Assigner-Glyph & Cog, LLC
CVSS Score-2.1||LOW
EPSS-0.10% / 28.63%
||
7 Day CHG~0.00%
Published-15 Aug, 2024 | 19:50
Updated-20 Aug, 2024 | 19:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stack overflow in Xpdf 4.05 due to object loop in PDF pattern

In Xpdf 4.05 (and earlier), a PDF object loop in a pattern resource leads to infinite recursion and a stack overflow.

Action-Not Available
Vendor-xpdfreaderXpdf
Product-xpdfXpdf
CWE ID-CWE-674
Uncontrolled Recursion
CVE-2025-11896
Matching Score-8
Assigner-Glyph & Cog, LLC
ShareView Details
Matching Score-8
Assigner-Glyph & Cog, LLC
CVSS Score-2.1||LOW
EPSS-0.03% / 7.56%
||
7 Day CHG~0.00%
Published-16 Oct, 2025 | 21:59
Updated-21 Oct, 2025 | 19:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stack overflow in Xpdf 4.05 due to object loop in PDF CMap

In Xpdf 4.05 (and earlier), a PDF object loop in a CMap, via the "UseCMap" entry, leads to infinite recursion and a stack overflow.

Action-Not Available
Vendor-Xpdf
Product-Xpdf
CWE ID-CWE-674
Uncontrolled Recursion
CVE-2019-17533
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.2||HIGH
EPSS-0.55% / 67.44%
||
7 Day CHG~0.00%
Published-13 Oct, 2019 | 02:00
Updated-05 Aug, 2024 | 01:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Mat_VarReadNextInfo4 in mat4.c in MATIO 1.5.17 omits a certain '\0' character, leading to a heap-based buffer over-read in strdup_vprintf when uninitialized memory is accessed.

Action-Not Available
Vendor-matio_projectn/aDebian GNU/Linux
Product-debian_linuxmation/a
CWE ID-CWE-125
Out-of-bounds Read
CWE ID-CWE-908
Use of Uninitialized Resource
CVE-2020-13113
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.2||HIGH
EPSS-0.70% / 71.58%
||
7 Day CHG~0.00%
Published-21 May, 2020 | 16:03
Updated-04 Aug, 2024 | 12:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in libexif before 0.6.22. Use of uninitialized memory in EXIF Makernote handling could lead to crashes and potential use-after-free conditions.

Action-Not Available
Vendor-libexif_projectn/aCanonical Ltd.openSUSEDebian GNU/Linux
Product-ubuntu_linuxdebian_linuxleaplibexifn/a
CWE ID-CWE-908
Use of Uninitialized Resource
Details not found