Yarden Porat found a heap-based buffer overwrite in MuPDF, a lightweight PDF viewer, which may result in denial of service or the execution of arbitrary code if malformed documents are opened. For Debian 11 bullseye, this problem has been fixed in version 1.17.0+ds1-2+deb11u2.
April 21, 2026