CVE-2025-64085
published 2025-12-09CVE-2025-64085: A NULL pointer dereference vulnerability in the importDataObject() function of PDF-XChange Editor v10.7.3.401 allows attackers to cause a Denial of Service…
PriorityP433high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.25%
16.2th percentile
A NULL pointer dereference vulnerability in the importDataObject() function of PDF-XChange Editor v10.7.3.401 allows attackers to cause a Denial of Service (DoS) via a crafted input.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pdf-xchange | pdf-xchange_editor | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2025-64085 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-64085 [MEDIUM] CVE-2025-64085 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-64085 :
PDF-XChange Editor vulnerability analysis and mitigation
A NULL pointer dereference vulnerability in the importDataObject() function of PDF-XChange Editor v10.7.3.401 allows attackers to cause a Denial of Service (DoS) via a crafted input.
Source : NVD
## 7.5
Score
Published December 9, 2025
Severity HIGH
CNA Score 6.5
Affected Technologies
PDF-XChange Editor
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.5
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:pdf-xchange:pdf-xchange_editor
Sources
Windows Severity HIGH No Fix Added at: Dec 11, 2025
Windows Severity HIGH No Fix Added at: Dec 12, 2025
## Get a CVE risk assessment
Wiz
CVE-2025-64086 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-64086 [MEDIUM] CVE-2025-64086 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-64086 :
PDF-XChange Editor vulnerability analysis and mitigation
A NULL pointer dereference vulnerability in the util.readFileIntoStream component of PDF-XChange Editor v10.7.3.401 allows attackers to cause a Denial of Service (DoS) via a crafted input.
Source : NVD
## 7.5
Score
Published December 9, 2025
Severity HIGH
CNA Score 6.5
Affected Technologies
PDF-XChange Editor
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.5
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:pdf-xchange:pdf-xchange_editor
Sources
Windows Severity HIGH No Fix Added at: Dec 11, 2025
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—
Wiz
CVE-2026-2040 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-2040 [MEDIUM] CVE-2026-2040 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2040 :
PDF-XChange Editor vulnerability analysis and mitigation
PDF-XChange Editor TrackerUpdate Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of PDF-XChange Editor. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the TrackerUpdate process. The product loads a library from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of a target user. Was ZDI-CAN-27788.
Source : NVD
## 7.3
Score
Published February 20, 2026
Severity HIGH
CNA Score 7.3
Affected Technologies
2025-12-09
Published