CVE-2026-25920 PUBLISHED

SumatraPDF has a heap out-of-bounds read in MOBI HuffDic decompressor

Assigner: GitHub_M
Reserved: 09.02.2026 Published: 09.02.2026 Updated: 09.02.2026

SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, tA heap out-of-bounds read vulnerability exists in SumatraPDF's MOBI HuffDic decompressor. The bounds check in AddCdicData() only validates half the range that DecodeOne() actually accesses. Opening a crafted .mobi file can read nearly (1 << codeLength) bytes beyond the CDIC dictionary buffer, leading to a crash.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CVSS Score: 5.5

Attack Vector	Local	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	Required	Availability Impact	High

CVSS 3.1

Product Status

Vendor	sumatrapdfreader
Product	sumatrapdf
Versions	Version <= 3.5.2 is affected

References

https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-5mwx-65x7-cffp
https://github.com/sumatrapdfreader/sumatrapdf/commit/12b6887e9dfff874fe8749bab1bdc53d4ff075b3
https://github.com/sumatrapdfreader/sumatrapdf/blob/916392f94bc34e24f3c3286893ac6d7fa1e1c428/src/MobiDoc.cpp

Problem Types

CWE-125: Out-of-bounds Read CWE