CVE-2025-43718
Publication date 2 October 2025
Last updated 8 October 2025
Ubuntu priority
Description
Poppler 24.06.1 through 25.x before 25.04.0 allows stack consumption and a SIGSEGV via deeply nested structures within the metadata (such as GTS_PDFEVersion) of a PDF document, e.g., a regular expression for a long pdfsubver string. This occurs in Dict::lookup, Catalog::getMetadata, and associated functions in PDFDoc, with deep recursion in the regex executor (std::__detail::_Executor).
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| poppler | 25.10 questing |
Fixed 25.03.0-10
|
| 25.04 plucky |
Fixed 25.03.0-3ubuntu1.3
|
|
| 24.04 LTS noble |
Fixed 24.02.0-1ubuntu9.7
|
|
| 22.04 LTS jammy |
Fixed 22.02.0-2ubuntu0.11
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
6.5 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-7803-1
- poppler vulnerability
- 6 October 2025