Heap Out-of-Bounds Read Vulnerability in SumatraPDF by SumatraPDF Reader
CVE-2026-25920

5.5MEDIUM

Key Information:

Vendor

SumatraPDFreader

Status
SumatraPDF
Vendor
CVE Published:
9 February 2026

What is CVE-2026-25920?

A heap out-of-bounds read vulnerability has been identified in SumatraPDF, a widely-used multi-format reader for Windows. This issue resides in the MOBI HuffDic decompressor, specifically in the AddCdicData() function, where the bounds check improperly validates only part of the range accessed by the DecodeOne() function. As a result, a maliciously crafted .mobi file can exploit this vulnerability, reading an excessive number of bytes beyond the CDIC dictionary buffer. This exposure may lead to a crash of the application, potentially compromising its integrity and stability.

Affected Version(s)

sumatrapdf <= 3.5.2

References

https://github.com/sumatrapdfreader/sumatrapdf/security/a...
x_refsource_CONFIRM
https://github.com/sumatrapdfreader/sumatrapdf/commit/12b...
x_refsource_MISC
https://github.com/sumatrapdfreader/sumatrapdf/blob/91639...
x_refsource_MISC

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.