CVE-2025-15569 Overview
A high-severity uncontrolled search path vulnerability has been identified in Artifex MuPDF up to version 1.26.1 on Windows systems. The vulnerability exists in the get_system_dpi function within the file platform/x11/win_main.c. This flaw could allow a local attacker to manipulate the search path, potentially leading to arbitrary code execution with the privileges of the affected application.
Critical Impact
Local attackers with access to a Windows system running vulnerable MuPDF versions could exploit this uncontrolled search path vulnerability to execute arbitrary code, potentially compromising system integrity, confidentiality, and availability.
Affected Products
- Artifex MuPDF versions up to and including 1.26.1 on Windows
Discovery Timeline
- 2026-02-10 - CVE-2025-15569 published to NVD
- 2026-02-10 - Last updated in NVD database
Technical Details for CVE-2025-15569
Vulnerability Analysis
This vulnerability is classified as CWE-426 (Untrusted Search Path), which occurs when an application searches for critical resources using an externally-supplied search path that could point to malicious files. In the case of MuPDF, the get_system_dpi function in platform/x11/win_main.c improperly handles the search path resolution on Windows systems.
When the application attempts to load resources or libraries, an attacker with local access could place a malicious file in a directory that takes precedence in the search order. This is particularly concerning on Windows systems where DLL search order hijacking is a common attack technique.
The attack requires local access to the system and is considered to have high complexity, making exploitation difficult but not impossible for a determined attacker. Successful exploitation could lead to complete compromise of confidentiality, integrity, and availability of the affected system.
Root Cause
The root cause of this vulnerability lies in the improper handling of system path resolution within the get_system_dpi function. The function does not adequately validate or restrict the search paths used when loading system resources, allowing an attacker to inject malicious content into the search path. This untrusted search path issue (CWE-426) enables potential DLL hijacking or similar path manipulation attacks on Windows platforms.
Attack Vector
The attack vector is local, requiring the attacker to have access to the target Windows system. The attacker would need to:
- Gain local access to a system running a vulnerable version of MuPDF
- Place a malicious file (such as a DLL) in a directory that precedes legitimate directories in the application's search path
- Trigger the vulnerable get_system_dpi function to load the malicious file
While the attack complexity is high due to the specific conditions required, successful exploitation could result in arbitrary code execution with the privileges of the MuPDF process.
The vulnerability is exploited through manipulation of the search path used by the get_system_dpi function. An attacker with local access could place a malicious DLL or resource file in a location that takes precedence over legitimate system directories. When MuPDF attempts to resolve system DPI settings, it may load the attacker-controlled file instead of the legitimate system resource. For detailed technical information about the fix, see the MuPDF Git Commit Log.
Detection Methods for CVE-2025-15569
Indicators of Compromise
- Unexpected DLL files appearing in MuPDF installation directories or Windows system paths
- Unusual process behavior or child processes spawned by MuPDF applications
- Modified or unexpected files in directories where MuPDF executable resides
- Anomalous system calls related to file loading from unexpected paths
Detection Strategies
- Monitor file system activity for creation of suspicious DLLs in MuPDF application directories
- Implement application whitelisting to prevent unauthorized code execution
- Use endpoint detection and response (EDR) tools to identify path manipulation attempts
- Deploy file integrity monitoring on critical application directories
Monitoring Recommendations
- Enable detailed logging for MuPDF application execution and DLL loading events
- Monitor for process injection or unusual parent-child process relationships involving MuPDF
- Implement alerts for new files created in application installation directories
- Use SentinelOne's behavioral AI to detect suspicious library loading patterns
How to Mitigate CVE-2025-15569
Immediate Actions Required
- Upgrade MuPDF to version 1.26.2 or later immediately
- Audit systems for any signs of exploitation or suspicious files in MuPDF directories
- Restrict local access to systems running vulnerable MuPDF versions
- Implement application control policies to prevent unauthorized code execution
Patch Information
Artifex has addressed this vulnerability in MuPDF version 1.26.2. The fix is identified by commit hash ebb125334eb007d64e579204af3c264aadf2e244. Organizations should upgrade to the patched version as soon as possible.
The patched version can be downloaded from MuPDF Windows Download.
For additional information about the vulnerability and patch details, refer to:
Workarounds
- Restrict file system permissions to prevent unauthorized users from placing files in MuPDF directories
- Implement strict application whitelisting policies on affected systems
- Run MuPDF with least-privilege accounts to minimize impact of potential exploitation
- Monitor and restrict write access to directories in the Windows system PATH
# Verify MuPDF version and restrict directory permissions
# Check current MuPDF version
mupdf --version
# On Windows, restrict write permissions to MuPDF installation directory
icacls "C:\Program Files\MuPDF" /inheritance:r /grant:r "BUILTIN\Administrators:(OI)(CI)F" /grant:r "BUILTIN\Users:(OI)(CI)RX"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
