{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25920", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-09T16:22:17.784Z", "datePublished": "2026-02-09T21:32:26.520Z", "dateUpdated": "2026-02-11T19:58:04.411Z"}, "containers": {"cna": {"title": "SumatraPDF has a heap out-of-bounds read in MOBI HuffDic decompressor", "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "lang": "en", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-5mwx-65x7-cffp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-5mwx-65x7-cffp"}, {"name": "https://github.com/sumatrapdfreader/sumatrapdf/commit/12b6887e9dfff874fe8749bab1bdc53d4ff075b3", "tags": ["x_refsource_MISC"], "url": "https://github.com/sumatrapdfreader/sumatrapdf/commit/12b6887e9dfff874fe8749bab1bdc53d4ff075b3"}, {"name": "https://github.com/sumatrapdfreader/sumatrapdf/blob/916392f94bc34e24f3c3286893ac6d7fa1e1c428/src/MobiDoc.cpp", "tags": ["x_refsource_MISC"], "url": "https://github.com/sumatrapdfreader/sumatrapdf/blob/916392f94bc34e24f3c3286893ac6d7fa1e1c428/src/MobiDoc.cpp"}], "affected": [{"vendor": "sumatrapdfreader", "product": "sumatrapdf", "versions": [{"version": "<= 3.5.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-11T19:58:04.411Z"}, "descriptions": [{"lang": "en", "value": "SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, a heap out-of-bounds read vulnerability exists in SumatraPDF's MOBI HuffDic decompressor. The bounds check in AddCdicData() only validates half the range that DecodeOne() actually accesses. Opening a crafted .mobi file can read nearly (1 << codeLength) bytes beyond the CDIC dictionary buffer, leading to a crash."}], "source": {"advisory": "GHSA-5mwx-65x7-cffp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-10T15:30:05.345742Z", "id": "CVE-2026-25920", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T15:57:35.274Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25920", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-10T15:30:05.345742Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T15:30:06.209Z"}}], "cna": {"title": "SumatraPDF has a heap out-of-bounds read in MOBI HuffDic decompressor", "source": {"advisory": "GHSA-5mwx-65x7-cffp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "sumatrapdfreader", "product": "sumatrapdf", "versions": [{"status": "affected", "version": "<= 3.5.2"}]}], "references": [{"url": "https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-5mwx-65x7-cffp", "name": "https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-5mwx-65x7-cffp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/sumatrapdfreader/sumatrapdf/commit/12b6887e9dfff874fe8749bab1bdc53d4ff075b3", "name": "https://github.com/sumatrapdfreader/sumatrapdf/commit/12b6887e9dfff874fe8749bab1bdc53d4ff075b3", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/sumatrapdfreader/sumatrapdf/blob/916392f94bc34e24f3c3286893ac6d7fa1e1c428/src/MobiDoc.cpp", "name": "https://github.com/sumatrapdfreader/sumatrapdf/blob/916392f94bc34e24f3c3286893ac6d7fa1e1c428/src/MobiDoc.cpp", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, a heap out-of-bounds read vulnerability exists in SumatraPDF's MOBI HuffDic decompressor. The bounds check in AddCdicData() only validates half the range that DecodeOne() actually accesses. Opening a crafted .mobi file can read nearly (1 << codeLength) bytes beyond the CDIC dictionary buffer, leading to a crash."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-11T19:58:04.411Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25920", "state": "PUBLISHED", "dateUpdated": "2026-02-11T19:58:04.411Z", "dateReserved": "2026-02-09T16:22:17.784Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-09T21:32:26.520Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sumatrapdfreader:sumatrapdf:*:*:*:*:*:*:*:*", "matchCriteriaId": "3D48C2C6-E8BC-471E-B59A-236F038EBC0C", "versionEndIncluding": "3.5.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, a heap out-of-bounds read vulnerability exists in SumatraPDF's MOBI HuffDic decompressor. The bounds check in AddCdicData() only validates half the range that DecodeOne() actually accesses. Opening a crafted .mobi file can read nearly (1 << codeLength) bytes beyond the CDIC dictionary buffer, leading to a crash."}, {"lang": "es", "value": "SumatraPDF es un lector multiformato para Windows. En 3.5.2 y versiones anteriores, existe una vulnerabilidad de lectura fuera de l\u00edmites del heap en el descompresor MOBI HuffDic de SumatraPDF. La comprobaci\u00f3n de l\u00edmites en AddCdicData() solo valida la mitad del rango al que DecodeOne() realmente accede. Abrir un archivo .mobi manipulado puede leer casi (1 &lt;&lt; codeLength) bytes m\u00e1s all\u00e1 del b\u00fafer del diccionario CDIC, lo que provoca un fallo."}], "id": "CVE-2026-25920", "lastModified": "2026-02-20T20:22:56.380", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-09T22:16:04.320", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/sumatrapdfreader/sumatrapdf/blob/916392f94bc34e24f3c3286893ac6d7fa1e1c428/src/MobiDoc.cpp"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/sumatrapdfreader/sumatrapdf/commit/12b6887e9dfff874fe8749bab1bdc53d4ff075b3"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-5mwx-65x7-cffp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.5.2]"}}], "product": "sumatrapdf", "vendor": "sumatrapdfreader"}], "analysis": {"en": {"generated_at": "2026-04-17T21:07:08.335009+00:00", "value": {"mitigation_remediation": ["Upgrade SumatraPDF to the latest version that includes the fix for the MOBI HuffDic out\u2011of\u2011bounds read.", "Avoid opening or processing untrusted .mobi files until an update is applied or MOBI support is disabled in the settings.", "Regularly check the vendor\u2019s security advisories and update schedule for any new patches."], "summary": {"action": "Apply Patch", "impact": "Data Exposure / Denial of Service"}, "threat_synthesis": {"affected_systems": "SumatraPDF read software for Windows, provided by SumatraPDFReader. Versions 3.5.2 and earlier are affected. The issue resides in the MOBI support component.", "description_and_impact": "The vulnerability is an out\u2011of\u2011bounds heap read in the MOBI HuffDic decompressor. A malformed .mobi file allows the program to read memory beyond the CDIC dictionary buffer, potentially exposing sensitive data and causing a crash. The read occurs because the bounds check in AddCdicData() covers only part of the range actually accessed by DecodeOne().", "risk_and_exploitability": "The CVSS score of 5.5 indicates moderate severity, and the EPSS score of less than 1% shows a low likelihood of exploitation at this time. The vulnerability is not listed in CISA\u2019s KEV catalog. The typical attack requires a user to open a crafted .mobi file, so the vector is local or requires social engineering. Successful exploitation results in denial of service via a crash and may expose data from the heap."}}}}, "created": "2026-02-10T11:35:00.388962+00:00", "updated": "2026-04-17T21:15:27.380851+00:00", "vendors": ["sumatrapdfreader", "sumatrapdfreader$PRODUCT$sumatrapdf"]}