KDE Project Security Advisory
=============================

Title:          Okular: integer overflow in fax image allocation leads to undersized heap allocation
Risk Rating:    Critical
CVE:            PENDING
Versions:       Okular <= 26.04.0
Author:         George Karagiannidis
Date:           11 May 2026

Overview
========

Okular is a universal document viewer. The fax backend in
generators/fax/faxdocument.cpp uses attacker-controlled image dimensions
and decoded line counts in allocation arithmetic without performing
overflow checks. A crafted fax file can cause the allocation size
calculation to overflow, producing a heap buffer that is far smaller than
the caller expects. Subsequent pixel writes indexed by the original
unclipped dimensions then overwrite memory beyond the allocation.

Impact
======

Opening a crafted fax file with malicious dimensions or a compressed
bitstream that decodes to an unusually large line count triggers a heap
out-of-bounds write in the fax parser. This can be exploited to achieve
code execution by enticing the victim to open a malicious .g3 or .g4
file.

Workaround
==========

Do not open untrusted .g3 or .g4 fax files in vulnerable Okular builds.

Solution
========

Update Okular >= 26.04.1 or apply
https://commits.kde.org/okular/49cccdec814b2ddb0a403b63994114f09b007a2c

Credits
=======

Thanks to George Karagiannidis from TwelveSec for reporting this issue.