CVE-2026-44348

Description

PoDoFo is a C++17 PDF manipulation library. From 1.0.0 to before 1.0.4, a double-free vulnerability exists in compute_hash_to_sign() in src/podofo/private/OpenSSLInternal_Ripped.cpp. If EVP_DigestFinal fails after buf has already been freed, the Error label frees buf a second time, causing heap corruption. This vulnerability is fixed in 1.0.4.

CVSS Details

CVSS Score

2.5

Severity

LOW

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L

Configurations (Affected Products)

No configuration data available.

PoDoFo 1.0.0

PoDoFo 1.0.1

PoDoFo 1.0.2

PoDoFo 1.0.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// Conceptual PoC for CVE-2026-44348
// Demonstrates the double free logic flaw

#include <stdio.h>
#include <stdlib.h>

void vulnerable_function() {
    char *buf = (char *)malloc(100);
    
    // Simulate a failure in EVP_DigestFinal or similar operation
    int operation_failed = 1; 
    
    if (operation_failed) {
        free(buf); // First free
        goto error_handler;
    }
    
    free(buf);
    return;

error_handler:
    free(buf); // Double free occurs here
    printf("Heap corruption likely occurred due to double free.\n");
}

int main() {
    vulnerable_function();
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-44348
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-44348
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-44348/
[4] VulDB https://vuldb.com/cve/CVE-2026-44348
[5] https://github.com/podofo/podofo/commit/696d765c3a71ef224d4abffe1f174fef11292d7e
[6] https://github.com/podofo/podofo/security/advisories/GHSA-8fq6-rqpv-xq72
[7] https://github.com/podofo/podofo/security/advisories/GHSA-8fq6-rqpv-xq72

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-44348", "sourceIdentifier": "[email protected]", "published": "2026-05-14T17:16:22.553", "lastModified": "2026-05-14T18:16:49.800", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "PoDoFo is a C++17 PDF manipulation library. From 1.0.0 to before 1.0.4, a double-free vulnerability exists in compute_hash_to_sign() in src/podofo/private/OpenSSLInternal_Ripped.cpp. If EVP_DigestFinal fails after buf has already been freed, the Error label frees buf a second time, causing heap corruption. This vulnerability is fixed in 1.0.4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", "baseScore": 2.5, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.0, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-415"}]}], "references": [{"url": "https://github.com/podofo/podofo/commit/696d765c3a71ef224d4abffe1f174fef11292d7e", "source": "[email protected]"}, {"url": "https://github.com/podofo/podofo/security/advisories/GHSA-8fq6-rqpv-xq72", "source": "[email protected]"}, {"url": "https://github.com/podofo/podofo/security/advisories/GHSA-8fq6-rqpv-xq72", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}