{"id":"CVE-2023-28428","summary":"PDFio vulnerable to Denial Of Service when opening a corrupt PDF file","details":"PDFio is a C library for reading and writing PDF files. In versions 1.1.0 and prior, a denial of service vulnerability exists in the pdfio parser. Crafted pdf files can cause the program to run at 100% utilization and never terminate. This is different from CVE-2023-24808. A patch for this issue is available in version 1.1.1.","aliases":["GHSA-68x8-9phf-j7jf"],"modified":"2026-04-12T01:01:18.541458Z","published":"2023-03-20T14:51:43.619Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/28xxx/CVE-2023-28428.json","cwe_ids":["CWE-770"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/28xxx/CVE-2023-28428.json"},{"type":"ADVISORY","url":"https://github.com/michaelrsweet/pdfio/security/advisories/GHSA-68x8-9phf-j7jf"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-28428"},{"type":"FIX","url":"https://github.com/michaelrsweet/pdfio/commit/97d4955666779dc5b0665e15dd951a5c12426a31"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/michaelrsweet/pdfio","events":[{"introduced":"0"},{"fixed":"97d4955666779dc5b0665e15dd951a5c12426a31"}]}],"versions":["v1.0.0","v1.0.1","v1.0b1","v1.0b2","v1.1.0"],"database_specific":{"vanir_signatures_modified":"2026-04-12T01:01:18Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-28428.json","vanir_signatures":[{"target":{"function":"stream_read","file":"pdfio-stream.c"},"source":"https://github.com/michaelrsweet/pdfio/commit/97d4955666779dc5b0665e15dd951a5c12426a31","signature_version":"v1","deprecated":false,"signature_type":"Function","id":"CVE-2023-28428-67eea139","digest":{"function_hash":"282862833901075072396704334720462650049","length":6073}},{"target":{"file":"pdfio-stream.c"},"source":"https://github.com/michaelrsweet/pdfio/commit/97d4955666779dc5b0665e15dd951a5c12426a31","signature_version":"v1","deprecated":false,"signature_type":"Line","id":"CVE-2023-28428-dbb29497","digest":{"threshold":0.9,"line_hashes":["136757870134198878303031303224936215815","74457661806650491408718977145773838505","177613088240574407086318299411708928272","118533856694705943147356096536429962188","130517689653997760486941337692287495160","326032990751604882852460365411820410122","19731369917382815659000814221008185265","174265833420737648529198030630519158088","247520657888028291381029273230200729045","189225788223661238506916084824301576561","14838257183494309269511598245203038315","22159743989449190557234030619469121826","1877855205430806779910428461464290072","255895707727051474936353233026286815516","219508499250187393544363884578192782560","174265833420737648529198030630519158088","247520657888028291381029273230200729045","45734730097148311820248376565881139406","32241394353353000279595670550592631073","242510861739666419454848867849567409445","257673455368378403006710685455131430732","1877855205430806779910428461464290072","255895707727051474936353233026286815516","219508499250187393544363884578192782560","174265833420737648529198030630519158088","247520657888028291381029273230200729045","45734730097148311820248376565881139406","32241394353353000279595670550592631073","242510861739666419454848867849567409445","257673455368378403006710685455131430732"]}}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}