Cve 2026 25920 Sumatrapdfreadersumatrapdfup To 3 5 2 On

Published: February 9, 2026 at 10:16 PM UTC CVE-2026-25920 is a medium severity vulnerability (CVSS 5.5/10) affecting sumatrapdfreader sumatrapdf. Published Feb 9, 2026. Last updated Feb 9, 2026. CVE-2026-25920 enables unauthenticated attackers to compromise availability of sumatrapdfreader sumatrapdf. No active exploitation has been reported, but organizations should assess exposure and apply patches as available.

Severity - MEDIUM (5.5/10) - Attack Vector - LOCAL - Attack Complexity - LOW - Exploited in Wild - No known exploitation - Privileges Required - NONE - User Interaction - REQUIRED As of Feb 9, 2026, there are no confirmed reports of active exploitation. - Organizations using sumatrapdfreader sumatrapdf - Systems where local user access is permitted - Any exposed instance — no authentication is required to exploit Risk posture: Medium impact, low complexity vulnerability with no current exploitation, contained within the vulnerable component.

Description - SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, tA heap out-of-bounds read vulnerability exists in SumatraPDF's MOBI HuffDic decompressor. The bounds check in AddCdicData() only validates half the range that DecodeOne() actually accesses. Opening a crafted.mobi file can read nearly (1 << codeLength) bytes beyond the CDIC dictionary buffer, leading to a crash. - References - https://github.com/sumatrapdfreader/sumatrapdf/blob/916392f94bc34e24f3c3286893ac6d7fa1e1c428/src/MobiDoc.cpp([email protected]) - https://github.com/sumatrapdfreader/sumatrapdf/commit/12b6887e9dfff874fe8749bab1bdc53d4ff075b3([email protected]) - https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-5mwx-65x7-cffp([email protected]) - https://nvd.nist.gov/vuln/detail/CVE-2026-25920(NIST) - https://cvetodo.com/cve/CVE-2026-25920(CVETodo) CVE-2026-25920 pertains to a heap out-of-bounds read vulnerability in SumatraPDF versions 3.5.2 and earlier.

This flaw exists within the MOBI HuffDic decompressor, specifically in the AddCdicData() function. The vulnerability arises because the bounds check implemented only validates half of the range that DecodeOne() accesses, allowing crafted.mobi files to read beyond the allocated buffer. This can lead to a crash, potentially causing denial of service (DoS).- Availability Impact: The primary impact is a high risk of application crash or hang, leading to a denial of service.

While the vulnerability does not directly compromise confidentiality or integrity, repeated or targeted exploitation could disrupt user workflows or system stability. - Impact Context: Since the attack vector requires local access and user interaction (opening a malicious.mobi file), the threat is limited to scenarios where a user opens a malicious file intentionally or inadvertently.

This makes it less severe than remote code execution vulnerabilities but still significant in environments where untrusted files are processed.- Severity Score: The CVSS score of 5.5 (Medium) reflects the moderate severity, considering the ease of exploitation (low complexity), the local attack vector, and the high impact on availability. - Root Cause: The core issue lies in the bounds check within the AddCdicData() function. The check only validates half of the range that the DecodeOne() function accesses during decompression.

This discrepancy allows an attacker to craft a.mobi file with maliciously constructed HuffDic data, which, when processed, causes DecodeOne() to read beyond the buffer bounds.- Decompression Process: The MOBI HuffDic decompressor is responsible for decoding dictionary data embedded within MOBI files.

The DecodeOne() function performs bitwise decoding, which, due to insufficient bounds checking, can access memory outside the allocated buffer.- Exploit Scenario: Opening a specially crafted.mobi file triggers the out-of-bounds read, leading to a crash or potential information leakage, depending on how the memory is accessed afterward.- Affected Versions: - SumatraPDF 3.5.2 and earlier - Recommended Fixes: - Upgrade to SumatraPDF 3.5.3 or later, where the bounds check has been corrected.

Upgrade Path: - Download the latest version from the official repository or website: SumatraPDF Releases ### Immediate Actions: - Update SumatraPDF: - The most effective mitigation is to upgrade to the latest version where the vulnerability has been patched. - Restrict File Handling: - Limit the ability of untrusted users to open or execute.mobi files within environments where SumatraPDF is used.### Additional Security Measures: - Disable MOBI support if not needed, or consider using alternative PDF/eBook readers that are regularly updated and maintained.

Implement file validation: - Use file integrity checks or sandboxing to prevent malicious files from executing arbitrary code or causing crashes. - User Education: - Educate users to avoid opening files from untrusted sources. ### Long-term Recommendations: - Monitor for updates: - Keep track of security advisories from SumatraPDF and apply patches promptly. - Security Testing: - Conduct regular vulnerability assessments on applications processing untrusted files.

Related CVEs: - While specific related CVEs are not listed, similar buffer over-read vulnerabilities have been identified in decompression algorithms across various applications, emphasizing the importance of bounds checking. - Broader Implications: - Although this vulnerability is rated medium, similar issues in other file parsers or decompression libraries can lead to remote code execution or privilege escalation if exploited in different contexts. - Community and Developer Response: - The presence of a dedicated security advisory and the referenced commit indicates active maintenance and prompt response by the SumatraPDF team.

# Summary CVE-2026-25920 is a medium severity heap out-of-bounds read vulnerability in SumatraPDF's MOBI decompression code, which can be exploited by opening a crafted.mobi file to cause application crashes.

Upgrading to the latest version of SumatraPDF is strongly recommended, along with standard security best practices such as limiting untrusted file access and applying sandboxing measures.References: - SumatraPDF GitHub Commit Fix - Official Security Advisory - Source Code Reference Updated: February 9, 2026 at 10:38 PM UTC Security Researcher & Vulnerability Analyst AI-assisted analysis reviewed and edited by Tony Hunt, Security Researcher & Vulnerability Analyst. Related vulnerability pattern: CWE-125 in sumatrapdf. Track when this CVE gets exploited, patched, or added to CISA KEV. One CVE, zero hassle.

Get notified when: CVE-2026-25920 is added to CISA KEV, exploits are published, patches are released, or major news breaks. Common questions about CVE-2026-25920 SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, tA heap out-of-bounds read vulnerability exists in SumatraPDF's MOBI HuffDic decompressor. The bounds check in AddCdicData() only validates half the range that DecodeOne() actually accesses. Opening a crafted.mobi file can read nearly (1 << codeLength) bytes beyond the CDIC dictionary buffer, leading to a crash.

CVE-2026-25920 has a severity rating of Medium (4.0-6.9) with a CVSS base score of 5.5 out of 10. This is a medium severity vulnerability that should be addressed in a timely manner. CVE-2026-25920 affects sumatrapdfreader sumatrapdf. Check the official vendor advisories for specific affected versions and update recommendations. CVE-2026-25920 was published on February 9, 2026. The CVSS metrics for CVE-2026-25920 are: Attack Vector: LOCAL, Attack Complexity: LOW, Privileges Required: NONE, User Interaction: REQUIRED.

Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H As of the latest available data, CVE-2026-25920 has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, which means there is no confirmed evidence of active exploitation. However, organizations should still assess their exposure and apply patches as recommended. To remediate CVE-2026-25920: Check sumatrapdfreader's security advisories for official patches and updates. Update sumatrapdf to the latest patched version. Review the references section below for vendor advisories and mitigation guidance. CVE-2026-25920 has a CVSS base score of 5.5 out of 10, rated as MEDIUM severity.

The attack vector is LOCAL. Attack complexity is LOW. - Status - Received - Affected Product - sumatrapdfreader sumatrapdf - Source - [email protected] - CVSS Metrics Attack Vector LOCAL Attack Complexity LOW Privileges Required NONE User Interaction REQUIRED Scope UNCHANGED Base Score 5.5 Exploitability Score 1.8 Impact Score 3.6 Vector String CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H - Impact - Confidentiality: NONEIntegrity: NONEAvailability: HIGH - Weaknesses - CWE-125([email protected]) - Last Modified - February 9, 2026 at 10:38 PM UTC Stay ahead of vulnerabilities with CVETodo.

Get real-time alerts, manage your security tasks, and protect your infrastructure. Real-time CVE monitoring Custom alerts & notifications Team collaboration tools CISA KEV tracking No credit card required • Free 14-day trial Boss wants a report? We'll email you CVE-2026-25920 in professional PDF format with all the key details. - CVE details & CVSS scores - Affected products & vendors - AI risk analysis - CISA KEV status - Mitigation recommendations No signup required. Professional PDF format delivered instantly to your inbox. Loading...

People Also Asked

• CVE-2026-25920%3A%20SumatraPDF%20is%20a%20multi-format%20reader%20for%20Windows.%20In%203....
• CVE-2026-25920%3A%20SumatraPDF%20Buffer%20Overflow%20Vulnerability%20-%20SentinelOne
• CVE-2026-25920%20Impact%2C%20Exploitability%2C%20and%20Mitigation%20Steps%20%7C%20Wiz
• CVE-2026-25920%20Security%20Vulnerability%20%26%20Exploit%20Details
• CVE-2026-25920%20sumatrapdfreader%20sumatrapdf%20Medium%20CVETodo
• CVE-2026-25920%20-%20Exploits%20%26%20Severity%20-%20Feedly
• CVE-2026-27944%20%u2014%20Nginx-Ui%20%7C%20dbugs