CVE-2025-52886: 
NixOS vulnerability analysis and mitigation

Poppler, a PDF rendering library, was found to contain a use-after-free vulnerability (CVE-2025-52886) in versions prior to 25.06.0. The vulnerability was discovered on April 3, 2025, and was publicly disclosed on June 3, 2025, after the release of the patched version (GitHub SecurityLab).

The vulnerability stems from the use of std::atomic_int for reference counting in four locations: Annot.h, Array.h, Dict.h, and Stream.h. Due to std::atomic_int being limited to 32 bits, it's possible to overflow the reference count, leading to a use-after-free condition. The vulnerability has been assigned a CVSS 4.0 score of 5.5 (MEDIUM) with the vector string CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P and is classified under CWE-416 (Use After Free) (NVD).

While the vulnerability could potentially lead to code execution in Poppler, the practical risk of exploitation is considered low. Testing revealed that triggering the use-after-free condition requires approximately 12 hours of execution time (GitHub SecurityLab).

The vulnerability has been patched in Poppler version 25.06.0. Users are advised to upgrade to this version or later to address the issue (GitHub SecurityLab).