KDE Project Security Advisory
=============================

Title:          Okular: unsigned integer wrap-around in fax backend leads to heap out-of-bounds read and write
Risk Rating:    Critical
CVE:            PENDING
Versions:       Okular <= 26.04.0
Author:         George Karagiannidis
Date:           11 May 2026

Overview
========

Okular is a universal document viewer. The fax backend in
generators/fax/faxdocument.cpp subtracts a fixed value from unsigned length
variables in its Ghostscript / PC Research header handling without first
checking that the values are large enough. On a short crafted input the
subtraction wraps around to a very large unsigned integer, which is then
passed as a length to a routine that performs read/write operations across
the wrapped range.

Impact
======

Opening a crafted fax file triggers unsigned integer wrap-around, causing
the fax parser to perform heap out-of-bounds reads and writes across a
large memory range. This can be exploited to achieve code execution by
enticing the victim to open a malicious .g3 or .g4 file.

Workaround
==========

Do not open untrusted .g3 or .g4 fax files in vulnerable Okular builds.

Solution
========

Update Okular >= 26.04.1 or apply
https://commits.kde.org/okular/e5f088674223019fafac26800a2ae0c0d6afc85b

Credits
=======

Thanks to George Karagiannidis from TwelveSec for reporting this issue.