CVE-2026-25920 – A heap out-of-bounds read vulnerability in Suma... (How to Fix)

📋 TL;DR

A heap out-of-bounds read vulnerability in SumatraPDF's MOBI HuffDic decompressor allows reading beyond allocated memory bounds when processing malicious .mobi files. This affects all users of SumatraPDF 3.5.2 and earlier on Windows systems. The vulnerability can cause application crashes and potentially leak sensitive memory contents.

💻 Affected Systems

Products:

SumatraPDF

Versions: 3.5.2 and earlier

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with MOBI file support enabled (default) are vulnerable when opening .mobi files.

📦 What is this software?

Sumatrapdf by Sumatrapdfreader

View all CVEs affecting Sumatrapdf →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Information disclosure through memory content leakage, potentially exposing sensitive data or application secrets stored in adjacent memory regions.

🟠

Likely Case

Application crash (denial of service) when processing a malicious .mobi file, with possible limited information disclosure.

🟢

If Mitigated

No impact if the vulnerability is patched or if .mobi files are not processed by vulnerable versions.

🌐 Internet-Facing: MEDIUM - Attackers could host malicious .mobi files on websites or distribute via email, but requires user interaction to open files.

🏢 Internal Only: MEDIUM - Similar risk profile as internet-facing, but limited to internal file sharing and user interaction requirements.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction to open a malicious .mobi file. The vulnerability is a bounds check bypass in AddCdicData() function.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.5.3 and later

Vendor Advisory: https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-5mwx-65x7-cffp

Restart Required: No

Instructions:

1. Download latest SumatraPDF from official website
2. Install over existing version
3. Verify version is 3.5.3 or higher

🔧 Temporary Workarounds

Disable MOBI file association

windows

Remove SumatraPDF as default handler for .mobi files to prevent automatic opening

Control Panel > Default Programs > Set Default Programs > Select SumatraPDF > Choose defaults for this program > Uncheck .mobi

Block .mobi files at perimeter

all

Prevent .mobi files from entering the network via email or web downloads

🧯 If You Can't Patch

Restrict user permissions to prevent opening untrusted .mobi files
Use application whitelisting to block execution of vulnerable SumatraPDF versions

🔍 How to Verify

Check if Vulnerable:

Check SumatraPDF version via Help > About menu. If version is 3.5.2 or earlier, system is vulnerable.

Check Version:

sumatrapdf.exe --version

Verify Fix Applied:

Verify version is 3.5.3 or later in Help > About menu. Test with known safe .mobi files to ensure functionality.

📡 Detection & Monitoring

Log Indicators:

Application crash logs from SumatraPDF
Windows Event Logs with Application Error for SumatraPDF

Network Indicators:

Downloads of .mobi files from untrusted sources
Email attachments with .mobi extensions

SIEM Query:

EventID=1000 AND SourceName="Application Error" AND ProcessName="SumatraPDF.exe"

📊 Metadata

CVE ID: CVE-2026-25920

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE: CWE-125

EPSS Score: 0.01% exploit probability (1.5th percentile)

Published: February 9, 2026

Last Updated: February 20, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25920, you might also want to check these: