CVE-2018-19882 in MuPDF
Summary
by MITRE
In Artifex MuPDF 1.14.0, the svg_run_image function in svg/svg-run.c allows remote attackers to cause a denial of service (href_att NULL pointer dereference and application crash) via a crafted svg file, as demonstrated by mupdf-gl.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 08/23/2025
The vulnerability CVE-2018-19882 represents a critical denial of service weakness in Artifex MuPDF version 1.14.0 that specifically targets the svg_run_image function within the svg/svg-run.c source file. This flaw manifests when the application processes specially crafted svg files that contain malformed href_att attributes, leading to a null pointer dereference condition that ultimately results in application crash and complete service unavailability. The vulnerability is particularly concerning as it can be exploited remotely through malicious svg file delivery, making it a significant risk for any system that processes untrusted svg content.
The technical implementation of this vulnerability stems from inadequate input validation within the SVG parsing subsystem of MuPDF. When the svg_run_image function encounters an svg element with a malformed href_att attribute, the code fails to properly check for null pointer conditions before attempting to dereference the attribute pointer. This classic null pointer dereference vulnerability falls under CWE-476 which specifically addresses NULL pointer dereference conditions in software implementations. The flaw occurs during the rendering process when MuPDF attempts to process embedded image references within svg documents, creating a scenario where attacker-controlled input directly influences the program's execution flow.
From an operational perspective, this vulnerability creates substantial risk for organizations that rely on MuPDF for document processing and rendering tasks. The remote exploitation capability means that adversaries can trigger the denial of service condition simply by delivering a malicious svg file to a victim system, making it particularly dangerous in web applications, email systems, or any environment where svg content is processed without proper sanitization. The application crash resulting from this vulnerability effectively renders the affected system unusable until manual intervention or application restart occurs, creating potential for extended service disruption. This vulnerability impacts the availability aspect of the CIA triad and can be leveraged as part of broader attack campaigns targeting system reliability.
The exploitation of CVE-2018-19882 aligns with ATT&CK technique T1499.004 which covers network denial of service attacks through application-level vulnerabilities. Security practitioners should consider this vulnerability when implementing defensive measures against persistent threats, as it represents a straightforward method for disrupting services without requiring advanced exploitation techniques. The vulnerability also demonstrates the importance of proper input validation and defensive programming practices, particularly in multimedia processing libraries where complex file format parsing occurs. Organizations should prioritize patching this vulnerability through the official MuPDF release updates and implement additional safeguards such as svg file validation, sandboxing of document processing, and network-based intrusion detection rules to prevent exploitation attempts.