A flaw was found in Poppler's Splash backend. A remote attacker could exploit this vulnerability by crafting a malicious PDF file that, when rendered, triggers an integer overflow in the `tilingPatternFill` function. This overflow leads to an undersized heap memory allocation, allowing a subsequent out-of-bounds write. Successful exploitation could result in arbitrary code execution, information disclosure, or denial of service within the context of the application processing the PDF.

Metrics

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

Vendors Products
Redhat
  • Enterprise Linux
  • Enterprise Linux Eus
  • Hardened Images
  • Hummingbird
  • Rhel Aus
  • Rhel E4s
  • Rhel Eus
  • Rhel Eus Long Life
  • Rhel Tus

No data.

No data.

References
Link Providers
https://access.redhat.com/errata/RHSA-2026:24984 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:24985 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:25058 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:27720 cve-icon
https://access.redhat.com/errata/RHSA-2026:27721 cve-icon
https://access.redhat.com/errata/RHSA-2026:27722 cve-icon
https://access.redhat.com/errata/RHSA-2026:27723 cve-icon
https://access.redhat.com/errata/RHSA-2026:27724 cve-icon
https://access.redhat.com/errata/RHSA-2026:27725 cve-icon
https://access.redhat.com/errata/RHSA-2026:27727 cve-icon
https://access.redhat.com/security/cve/CVE-2026-10118 cve-icon cve-icon
https://bugzilla.redhat.com/show_bug.cgi?id=2460428 cve-icon cve-icon
https://gitlab.freedesktop.org/poppler/poppler/-/work_items/1715 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-10118 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-10118 cve-icon
History

Mon, 22 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Eus
CPEs cpe:/a:redhat:rhel_e4s:9.2::appstream
cpe:/a:redhat:rhel_e4s:9.4::appstream
cpe:/a:redhat:rhel_eus:9.6::appstream
cpe:/a:redhat:rhel_eus:9.6::crb
Vendors & Products Redhat rhel Eus
References

Mon, 22 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat enterprise Linux Eus
Redhat rhel E4s
Redhat rhel Tus
CPEs cpe:/a:redhat:rhel_aus:8.6::appstream
cpe:/a:redhat:rhel_e4s:8.8::appstream
cpe:/a:redhat:rhel_eus_long_life:8.6::appstream
cpe:/a:redhat:rhel_tus:8.8::appstream
cpe:/o:redhat:enterprise_linux_eus:10.0
Vendors & Products Redhat enterprise Linux Eus
Redhat rhel E4s
Redhat rhel Tus
References

Mon, 22 Jun 2026 03:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Aus
Redhat rhel Eus Long Life
CPEs cpe:/a:redhat:rhel_aus:8.4::appstream
cpe:/a:redhat:rhel_eus_long_life:8.4::appstream
Vendors & Products Redhat rhel Aus
Redhat rhel Eus Long Life
References

Wed, 10 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:9 cpe:/a:redhat:enterprise_linux:9::appstream
cpe:/a:redhat:enterprise_linux:9::crb
References

Wed, 10 Jun 2026 11:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:10

Wed, 10 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:8 cpe:/a:redhat:enterprise_linux:8::appstream
cpe:/a:redhat:enterprise_linux:8::crb
cpe:/o:redhat:enterprise_linux:10.2
References

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat hardened Images
Vendors & Products Redhat hardened Images

Tue, 02 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 01 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in Poppler's Splash backend. A remote attacker could exploit this vulnerability by crafting a malicious PDF file that, when rendered, triggers an integer overflow in the `tilingPatternFill` function. This overflow leads to an undersized heap memory allocation, allowing a subsequent out-of-bounds write. Successful exploitation could result in arbitrary code execution, information disclosure, or denial of service within the context of the application processing the PDF.
Title Poppler: integer overflow in poppler splashoutputdev::tilingpatternfill leads to heap buffer overflow via unchecked dimension multiplication
First Time appeared Redhat
Redhat enterprise Linux
Redhat hummingbird
Weaknesses CWE-190
CPEs cpe:/a:redhat:hummingbird:1
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
Redhat hummingbird
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2026-06-01T15:33:39.670Z

Updated: 2026-06-22T07:35:30.276Z

Reserved: 2026-05-29T17:18:50.666Z

Link: CVE-2026-10118

cve-icon Vulnrichment

Updated: 2026-06-01T19:34:07.472Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-01T17:16:39.500

Modified: 2026-06-10T12:16:24.837

Link: CVE-2026-10118

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-01T15:25:35Z

Links: CVE-2026-10118 - Bugzilla