CVE-2026-25920

SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, a heap out-of-bounds read vulnerability exists in SumatraPDF's MOBI HuffDic decompressor. The bounds check in AddCdicData() only validates half the range that DecodeOne() actually accesses. Opening a crafted .mobi file can read nearly (1 << codeLength) bytes beyond the CDIC dictionary buffer, leading to a crash.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/sumatrapdfreader/sumatrapdf/blob/916392f94bc34e24f3c3286893ac6d7fa1e1c428/src/MobiDoc.cpp	Product
https://github.com/sumatrapdfreader/sumatrapdf/commit/12b6887e9dfff874fe8749bab1bdc53d4ff075b3	Product
https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-5mwx-65x7-cffp	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:sumatrapdfreader:sumatrapdf:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-09 22:16

Updated : 2026-02-20 20:22

NVD link : CVE-2026-25920

Mitre link : CVE-2026-25920

CVE.ORG link : CVE-2026-25920

JSON object : View

Products Affected

sumatrapdfreader

sumatrapdf

CWE

CWE-125

Out-of-bounds Read

{"id": "CVE-2026-25920", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2026-02-09T22:16:04.320", "references": [{"url": "https://github.com/sumatrapdfreader/sumatrapdf/blob/916392f94bc34e24f3c3286893ac6d7fa1e1c428/src/MobiDoc.cpp", "tags": ["Product"], "source": "security-advisories@github.com"}, {"url": "https://github.com/sumatrapdfreader/sumatrapdf/commit/12b6887e9dfff874fe8749bab1bdc53d4ff075b3", "tags": ["Product"], "source": "security-advisories@github.com"}, {"url": "https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-5mwx-65x7-cffp", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-125"}]}], "descriptions": [{"lang": "en", "value": "SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, a heap out-of-bounds read vulnerability exists in SumatraPDF's MOBI HuffDic decompressor. The bounds check in AddCdicData() only validates half the range that DecodeOne() actually accesses. Opening a crafted .mobi file can read nearly (1 << codeLength) bytes beyond the CDIC dictionary buffer, leading to a crash."}, {"lang": "es", "value": "SumatraPDF es un lector multiformato para Windows. En 3.5.2 y versiones anteriores, existe una vulnerabilidad de lectura fuera de l\u00edmites del heap en el descompresor MOBI HuffDic de SumatraPDF. La comprobaci\u00f3n de l\u00edmites en AddCdicData() solo valida la mitad del rango al que DecodeOne() realmente accede. Abrir un archivo .mobi manipulado puede leer casi (1 << codeLength) bytes m\u00e1s all\u00e1 del b\u00fafer del diccionario CDIC, lo que provoca un fallo."}], "lastModified": "2026-02-20T20:22:56.380", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sumatrapdfreader:sumatrapdf:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3D48C2C6-E8BC-471E-B59A-236F038EBC0C", "versionEndIncluding": "3.5.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}