{"id":"CVE-2022-37052","details":"A reachable Object::getString assertion in Poppler 22.07.0 allows attackers to cause a denial of service due to a failure in markObject.","modified":"2026-02-01T19:24:57.563238Z","published":"2023-08-22T19:16:23.800Z","related":["SUSE-SU-2023:4270-1","SUSE-SU-2023:4362-1","SUSE-SU-2023:4363-1","SUSE-SU-2023:4546-1","SUSE-SU-2023:4562-1"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/04/msg00037.html"},{"type":"REPORT","url":"https://gitlab.freedesktop.org/poppler/poppler/-/issues/1278"},{"type":"FIX","url":"https://gitlab.freedesktop.org/poppler/poppler/-/commit/8677500399fc2548fa816b619580c2c07915a98c"},{"type":"EVIDENCE","url":"https://gitlab.freedesktop.org/poppler/poppler/-/issues/1278"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://gitlab.freedesktop.org/poppler/poppler","events":[{"introduced":"0"},{"fixed":"8677500399fc2548fa816b619580c2c07915a98c"}]}],"versions":["poppler-0.10.0","poppler-0.11.0","poppler-0.11.1","poppler-0.11.2","poppler-0.11.3","poppler-0.12.0","poppler-0.13.1","poppler-0.13.2","poppler-0.13.3","poppler-0.13.4","poppler-0.14.0","poppler-0.15.0","poppler-0.15.1","poppler-0.15.2","poppler-0.15.3","poppler-0.16.0","poppler-0.17.0","poppler-0.17.1","poppler-0.17.2","poppler-0.17.3","poppler-0.17.4","poppler-0.18.0","poppler-0.19.0","poppler-0.19.1","poppler-0.19.2","poppler-0.19.3","poppler-0.19.4","poppler-0.2.0","poppler-0.20.0","poppler-0.20.1","poppler-0.20.2","poppler-0.20.3","poppler-0.20.4","poppler-0.20.5","poppler-0.21.0","poppler-0.21.1","poppler-0.21.2","poppler-0.21.3","poppler-0.21.4","poppler-0.22.0","poppler-0.22.1","poppler-0.22.2","poppler-0.22.3","poppler-0.22.4","poppler-0.23.0","poppler-0.23.1","poppler-0.23.2","poppler-0.23.3","poppler-0.23.4","poppler-0.24.0","poppler-0.24.1","poppler-0.24.2","poppler-0.24.3","poppler-0.24.4","poppler-0.24.5","poppler-0.25.0","poppler-0.25.1","poppler-0.25.2","poppler-0.25.3","poppler-0.26.0","poppler-0.26.1","poppler-0.26.2","poppler-0.26.3","poppler-0.26.4","poppler-0.28.0","poppler-0.28.1","poppler-0.29.0","poppler-0.3.0","poppler-0.3.1","poppler-0.3.2","poppler-0.3.3","poppler-0.30.0","poppler-0.31.0","poppler-0.32.0","poppler-0.33.0","poppler-0.34.0","poppler-0.35.0","poppler-0.36","poppler-0.37","poppler-0.38.0","poppler-0.39","poppler-0.4.0","poppler-0.40.0","poppler-0.41.0","poppler-0.42.0","poppler-0.43","poppler-0.44","poppler-0.45","poppler-0.46","poppler-0.47","poppler-0.48","poppler-0.49","poppler-0.5.0","poppler-0.5.1","poppler-0.5.2","poppler-0.5.3","poppler-0.5.4","poppler-0.50","poppler-0.51","poppler-0.52","poppler-0.53","poppler-0.54","poppler-0.55","poppler-0.56","poppler-0.57","poppler-0.58","poppler-0.59","poppler-0.6.0","poppler-0.6.0.RC1","poppler-0.60","poppler-0.60.1","poppler-0.61","poppler-0.61.1","poppler-0.62.0","poppler-0.63.0","poppler-0.64.0","poppler-0.65.0","poppler-0.66.0","poppler-0.67.0","poppler-0.68.0","poppler-0.69.0","poppler-0.7.0","poppler-0.7.1","poppler-0.7.2","poppler-0.7.3","poppler-0.70.0","poppler-0.70.1","poppler-0.71.0","poppler-0.72.0","poppler-0.73.0","poppler-0.74.0","poppler-0.75.0","poppler-0.76.0","poppler-0.76.1","poppler-0.77.0","poppler-0.78.0","poppler-0.79.0","poppler-0.8.0","poppler-0.80.0","poppler-0.81.0","poppler-0.82.0","poppler-0.83.0","poppler-0.84.0","poppler-0.85.0","poppler-0.86.0","poppler-0.86.1","poppler-0.87.0","poppler-0.88.0","poppler-0.89.0","poppler-0.9.0","poppler-0.9.1","poppler-0.9.2","poppler-0.9.3","poppler-0.90.0","poppler-0.90.1","poppler-20.08.0","poppler-20.09.0","poppler-20.10.0","poppler-20.11.0","poppler-20.12.0","poppler-20.12.1","poppler-21.01.0","poppler-21.02.0","poppler-21.03.0","poppler-21.04.0","poppler-21.05.0","poppler-21.06.0","poppler-21.06.1","poppler-21.07.0","poppler-21.08.0","poppler-21.09.0","poppler-21.10.0","poppler-21.11.0","poppler-21.12.0","poppler-22.01.0","poppler-22.02.0","poppler-22.03.0","poppler-22.04.0","poppler-22.05.0","poppler-22.06.0","poppler-22.07.0","poppler-before-fontconfig"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-37052.json","vanir_signatures":[{"signature_type":"Function","source":"https://gitlab.freedesktop.org/poppler/poppler@8677500399fc2548fa816b619580c2c07915a98c","digest":{"function_hash":"273756925730686209409700961054074407743","length":709},"deprecated":false,"target":{"file":"poppler/PDFDoc.cc","function":"PDFDoc::markPageObjects"},"id":"CVE-2022-37052-357399da","signature_version":"v1"},{"signature_type":"Line","source":"https://gitlab.freedesktop.org/poppler/poppler@8677500399fc2548fa816b619580c2c07915a98c","digest":{"line_hashes":["304763745735970609053420384128652229620","285734504008593386344482617858104492461","42814253859592019564684101588992511544","144475224911350134147774134213851618754","302150748859724529365661420478494794355","141952162578584534771931153988567791394","55032832115138834537295743468745718799","122822177716706062952169414778322927427","283465543101396804212134638422795166818"],"threshold":0.9},"deprecated":false,"target":{"file":"poppler/PDFDoc.h"},"id":"CVE-2022-37052-4f2dcdba","signature_version":"v1"},{"signature_type":"Line","source":"https://gitlab.freedesktop.org/poppler/poppler@8677500399fc2548fa816b619580c2c07915a98c","digest":{"line_hashes":["134096156516675972427431398213772276121","274327033565891089251809362098007404131","315657861017043028439752118736779152135","310342747494632308086225423428618839521","92396259489956248320603010373259439083","270520818532505959051670855695497686081","335881736725917897195697873099055027697","164051132287074236309229571548028521310","17751297525307814789131837797628208146","189875661574654780375141035586907846394","213309912279115776104064918058018866003","16644388870974947084726191627353839288","268571084823426447010581855078239765394"],"threshold":0.9},"deprecated":false,"target":{"file":"poppler/XRef.cc"},"id":"CVE-2022-37052-64302f1f","signature_version":"v1"},{"signature_type":"Function","source":"https://gitlab.freedesktop.org/poppler/poppler@8677500399fc2548fa816b619580c2c07915a98c","digest":{"function_hash":"265854075833851323163455858885360079047","length":755},"deprecated":false,"target":{"file":"poppler/XRef.cc","function":"XRef::add"},"id":"CVE-2022-37052-8ffc8827","signature_version":"v1"},{"signature_type":"Line","source":"https://gitlab.freedesktop.org/poppler/poppler@8677500399fc2548fa816b619580c2c07915a98c","digest":{"line_hashes":["181121801735472870747064168897293064753","103849804712730882272502648342367527431","238488805745295518063374455616277696956","42472909311302188098805619784000013506","233625066270574834955011569576312928500","75664786433942053680026097669574713992","208805775242167726415995853162192219040","220419883820348326307039946341742938338","61917267004015817643902586948065351305","27572075541360334951639378527805457552","99684671619090908489545030726255953084","52085140924174949520070855027186660109","223282412741190902309740621689792284853","129670537360838863992555275225918931522","189898027770441618091137947380505481845","155724131685714179047106032279560313762","280443418261585862621500037940357628307","128533887594667786220787234371560225452","67554265527797244414600859092524701792","165905509614342909963765556899922535079","189097498935229262449799936105367639560","328419242371765894953879174147444856717","317744966017308072460218150903663715071","2549616002819190507008590709287207674","30226865350122731700804720227653342594","272658899906436141828822551123325982566","27343171998904660719693444792653983257","83503353470314851440885292692948855136","204436595130037764209191444383447967278","71252050461489719397117453546589931510","156743346432394965577988407921567885326","139679651120162827735461154894157803893","151319260573666554332746136901352437216","30244300537274772668835953786996295150","284687237492628172687858486892651723074","86377232768167425300079074237041194041","294294628017295352111398640826199048262","79218594291237834113755572816588569840","138513904318935184400684750115748454881","57979830787349977242382780301315612918","86137282764665669728078980229957090349","109013260683642739482036434946018413875","20462608885410098888274097433398959874","197853115046528317048296470900160406832","86061556003459992339770577003785653667","207266259933894148082571856406029033097","163365333947463192760216260292028193514","80999898128383754846637531388484076267","230963802312648301743951661835500237537","206889750627986001176721596177602803727","148896266642754693014410053401126105406","3082988167326356478324557029362217157","164424615629908906161001745480727266069","197071821099192885370360213041544098611","286732353364019643233002812980868526469","283751313876690936838764259348357802012","41071853850630745773623740120608693682","112519370760921898887447722393055300814","168050689144898433988163632553986462528"],"threshold":0.9},"deprecated":false,"target":{"file":"poppler/PDFDoc.cc"},"id":"CVE-2022-37052-93c1b8f8","signature_version":"v1"},{"signature_type":"Function","source":"https://gitlab.freedesktop.org/poppler/poppler@8677500399fc2548fa816b619580c2c07915a98c","digest":{"function_hash":"197304028110258360728833384447789571097","length":5396},"deprecated":false,"target":{"file":"poppler/PDFDoc.cc","function":"PDFDoc::savePageAs"},"id":"CVE-2022-37052-97ac3fed","signature_version":"v1"},{"signature_type":"Function","source":"https://gitlab.freedesktop.org/poppler/poppler@8677500399fc2548fa816b619580c2c07915a98c","digest":{"function_hash":"306958588208927882981585762373439715062","length":905},"deprecated":false,"target":{"file":"poppler/PDFDoc.cc","function":"PDFDoc::markDictionnary"},"id":"CVE-2022-37052-c7cf7770","signature_version":"v1"},{"signature_type":"Line","source":"https://gitlab.freedesktop.org/poppler/poppler@8677500399fc2548fa816b619580c2c07915a98c","digest":{"line_hashes":["310548202309649677640359435006934084069","190936668863168266132341448049422773006","107772950137501725646981282321080987592","209758221373415250500470014251972493500","83092231472203693719898975207936840575"],"threshold":0.9},"deprecated":false,"target":{"file":"poppler/XRef.h"},"id":"CVE-2022-37052-d0da06e1","signature_version":"v1"},{"signature_type":"Function","source":"https://gitlab.freedesktop.org/poppler/poppler@8677500399fc2548fa816b619580c2c07915a98c","digest":{"function_hash":"260898325034261758350243020121820767480","length":1764},"deprecated":false,"target":{"file":"poppler/PDFDoc.cc","function":"PDFDoc::markObject"},"id":"CVE-2022-37052-d7e5e735","signature_version":"v1"}]}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}