{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23951", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-19T14:49:06.312Z", "datePublished": "2026-01-22T00:17:10.159Z", "dateUpdated": "2026-01-22T21:44:27.284Z"}, "containers": {"cna": {"title": "SumatraPDF's Integer Underflow in PalmDbReader Leads to Crash", "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "lang": "en", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-191", "lang": "en", "description": "CWE-191: Integer Underflow (Wrap or Wraparound)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-hj4w-c5x8-p2hv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-hj4w-c5x8-p2hv"}, {"name": "https://github.com/sumatrapdfreader/sumatrapdf/blob/master/src/PalmDbReader.cpp", "tags": ["x_refsource_MISC"], "url": "https://github.com/sumatrapdfreader/sumatrapdf/blob/master/src/PalmDbReader.cpp"}], "affected": [{"vendor": "sumatrapdfreader", "product": "sumatrapdf", "versions": [{"version": "<= 3.5.2rel", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-22T00:17:10.159Z"}, "descriptions": [{"lang": "en", "value": "SumatraPDF is a multi-format reader for Windows. All versions contain an off-by-one error in the validation code that only triggers with exactly 2 records, causing an integer underflow in the size calculation. This bug exists in PalmDbReader::GetRecord when opening a crafted Mobi file, resulting in an out-of-bounds heap read that crashes the app. There are no published fixes at the time of publication."}], "source": {"advisory": "GHSA-hj4w-c5x8-p2hv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-22T21:44:16.346671Z", "id": "CVE-2026-23951", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-22T21:44:27.284Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23951", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-19T14:49:06.312Z", "datePublished": "2026-01-22T00:17:10.159Z", "dateUpdated": "2026-01-22T21:44:27.284Z"}, "containers": {"cna": {"title": "SumatraPDF's Integer Underflow in PalmDbReader Leads to Crash", "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "lang": "en", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-191", "lang": "en", "description": "CWE-191: Integer Underflow (Wrap or Wraparound)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-hj4w-c5x8-p2hv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-hj4w-c5x8-p2hv"}, {"name": "https://github.com/sumatrapdfreader/sumatrapdf/blob/master/src/PalmDbReader.cpp", "tags": ["x_refsource_MISC"], "url": "https://github.com/sumatrapdfreader/sumatrapdf/blob/master/src/PalmDbReader.cpp"}], "affected": [{"vendor": "sumatrapdfreader", "product": "sumatrapdf", "versions": [{"version": "<= 3.5.2rel", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-22T00:17:10.159Z"}, "descriptions": [{"lang": "en", "value": "SumatraPDF is a multi-format reader for Windows. All versions contain an off-by-one error in the validation code that only triggers with exactly 2 records, causing an integer underflow in the size calculation. This bug exists in PalmDbReader::GetRecord when opening a crafted Mobi file, resulting in an out-of-bounds heap read that crashes the app. There are no published fixes at the time of publication."}], "source": {"advisory": "GHSA-hj4w-c5x8-p2hv", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23951", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-22T21:44:16.346671Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-22T21:44:22.321Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sumatrapdfreader:sumatrapdf:-:*:*:*:*:*:*:*", "matchCriteriaId": "EDC837AF-B0DA-4A27-8CF4-EE8846526B37", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SumatraPDF is a multi-format reader for Windows. All versions contain an off-by-one error in the validation code that only triggers with exactly 2 records, causing an integer underflow in the size calculation. This bug exists in PalmDbReader::GetRecord when opening a crafted Mobi file, resulting in an out-of-bounds heap read that crashes the app. There are no published fixes at the time of publication."}], "id": "CVE-2026-23951", "lastModified": "2026-02-17T16:48:48.433", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-22T01:15:52.633", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/sumatrapdfreader/sumatrapdf/blob/master/src/PalmDbReader.cpp"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-hj4w-c5x8-p2hv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-191"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-193"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T18:59:14.856562+00:00", "value": {"mitigation_remediation": ["Avoid opening unknown or untrusted Mobi files, as the crash is triggered by a crafted file.", "Remove the PalmDbReader plugin or configure the application to blacklist Mobi format files to eliminate the possibility of an attack.", "Employ endpoint protection that scans for malformed Mobi files before they reach the application, thereby reducing the risk of a crash."], "summary": {"action": "Workaround", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "SumatraPDF (sumatrapdfreader:sumatrapdf) on Windows, all released versions affected. The warning applies to any installation of SumatraPDF that respects the current default file handling for Mobi (Palm database) files.", "description_and_impact": "SumatraPDF contains an off\u2011by\u2011one error in the completion of the PalmDbReader::GetRecord routine when parsing a Mobi file with exactly two records. The bug causes an integer underflow during a size calculation, leading to an out\u2011of\u2011bounds heap read that triggers a crash of the application. The crash is non\u2011reversible and results in denial of service for the affected user. This weakness falls under CWE\u2011125 (Out\u2011of\u2011Bounds Read), CWE\u2011191 (Signed Integer Overflow), and CWE\u2011193 (Type Conversion Error).", "risk_and_exploitability": "The CVSS score of 5.5 classifies the vulnerability as medium severity. The EPSS score of less than 1% indicates a very low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The attack vector is likely local or low\u2011enumeration: the attacker must supply a crafted Mobi file that the victim opens or that is processed by the application automatically. No known published exploitation code exists beyond the laboratory trigger."}}}}, "created": "2026-01-22T10:08:03.840470+00:00", "updated": "2026-04-18T19:00:08.057018+00:00", "vendors": ["sumatrapdfreader", "sumatrapdfreader$PRODUCT$sumatrapdf"]}