KDE Project Security Advisory
=============================

Title:          Okular: heap out-of-bounds read in fax backend FAXMAGIC comparison
Risk Rating:    High
CVE:            PENDING
Versions:       Okular <= 26.04.0
Author:         George Karagiannidis
Date:           11 May 2026

Overview
========

Okular is a universal document viewer. The fax backend in
generators/fax/faxdocument.cpp compares the input buffer against the
FAXMAGIC signature without first ensuring that the allocated buffer is
large enough for the full comparison, resulting in a heap out-of-bounds
read.

Impact
======

Opening a short crafted fax file triggers a heap out-of-bounds read in the
fax parser. The comparison result against a fixed signature can leak
information about adjacent heap content, which may assist an attacker in
bypassing ASLR when chained with other vulnerabilities.

Workaround
==========

Do not open untrusted .g3 or .g4 fax files in vulnerable Okular builds.

Solution
========

Update Okular >= 26.04.1 or apply
https://commits.kde.org/okular/e5f088674223019fafac26800a2ae0c0d6afc85b

Credits
=======

Thanks to George Karagiannidis from TwelveSec for reporting this issue.