KDE Project Security Advisory
=============================

Title:          Okular: heap out-of-bounds read in fax backend Ghostscript header handling
Risk Rating:    Medium
CVE:            PENDING
Versions:       Okular <= 26.04.0
Author:         George Karagiannidis
Date:           11 May 2026

Overview
========

Okular is a universal document viewer. The fax backend in
generators/fax/faxdocument.cpp contains special handling for Ghostscript /
PC Research fax headers. After matching the FAXMAGIC signature, the code
unconditionally reads a byte at a fixed offset without verifying that the
input buffer is large enough.

Impact
======

Opening a crafted fax file triggers a heap out-of-bounds read in the fax
parser. The leaked byte is stored in an internal field and may assist an
attacker in chaining this issue with other vulnerabilities to bypass ASLR.

Workaround
==========

Do not open untrusted .g3 or .g4 fax files in vulnerable Okular builds.

Solution
========

Update Okular >= 26.04.1 or apply
https://commits.kde.org/okular/e5f088674223019fafac26800a2ae0c0d6afc85b

Credits
=======

Thanks to George Karagiannidis from TwelveSec for reporting this issue.