CVE-2026-44348

NameCVE-2026-44348
DescriptionPoDoFo is a C++17 PDF manipulation library. From 1.0.0 to before 1.0.4, a double-free vulnerability exists in compute_hash_to_sign() in src/podofo/private/OpenSSLInternal_Ripped.cpp. If EVP_DigestFinal fails after buf has already been freed, the Error label frees buf a second time, causing heap corruption. This vulnerability is fixed in 1.0.4.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libpodofo (PTS)bullseye0.9.7+dfsg-2fixed
bookworm0.9.8+dfsg-3fixed
trixie0.9.8+dfsg-3.2fixed
forky, sid0.9.8+dfsg-3.3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libpodofosource(unstable)(not affected)

Notes

- libpodofo <not-affected> (Vulnerable code not present)
https://github.com/podofo/podofo/security/advisories/GHSA-8fq6-rqpv-xq72
Introduced with: https://github.com/podofo/podofo/commit/b812f67b48f6733e640e67a52ed3da306e7a39c7 (1.0.0-beta1)
Fixed by: https://github.com/podofo/podofo/commit/696d765c3a71ef224d4abffe1f174fef11292d7e (1.0.4)
Search for package or bug name: Reporting problems