CVE-2018-9918

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
10/04/2018
Last modified:
03/10/2019

Description

libqpdf.a in QPDF through 8.0.2 mishandles certain "expected dictionary key but found non-name object" cases, allowing remote attackers to cause a denial of service (stack exhaustion), related to the QPDFObjectHandle and QPDF_Dictionary classes, because nesting in direct objects is not restricted.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:qpdf_project:qpdf:*:*:*:*:*:*:*:* 8.0.2 (including)
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*