cbcvebase.
CVE-2026-25920
published 2026-02-09

CVE-2026-25920: SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, a heap out-of-bounds read vulnerability exists in SumatraPDF's MOBI HuffDic…

PriorityP422medium5.5CVSS 3.1
AVLACLPRNUIRSUCNINAH
EPSS
0.22%
12.1th percentile
SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, a heap out-of-bounds read vulnerability exists in SumatraPDF's MOBI HuffDic decompressor. The bounds check in AddCdicData() only validates half the range that DecodeOne() actually accesses. Opening a crafted .mobi file can read nearly (1 << codeLength) bytes beyond the CDIC dictionary buffer, leading to a crash.

Affected

1 ranges
VendorProductVersion rangeFixed in
sumatrapdfreadersumatrapdf<= 3.5.2
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.