Unrated severityNVD Advisory· Published Feb 9, 2026· Updated Feb 11, 2026
SumatraPDF has a heap out-of-bounds read in MOBI HuffDic decompressor
CVE-2026-25920
Description
SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, a heap out-of-bounds read vulnerability exists in SumatraPDF's MOBI HuffDic decompressor. The bounds check in AddCdicData() only validates half the range that DecodeOne() actually accesses. Opening a crafted .mobi file can read nearly (1 << codeLength) bytes beyond the CDIC dictionary buffer, leading to a crash.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2<=3.5.2+ 1 more
- (no CPE)range: <=3.5.2
- (no CPE)range: <= 3.5.2
Patches
Vulnerability mechanics
References
3- github.com/sumatrapdfreader/sumatrapdf/blob/916392f94bc34e24f3c3286893ac6d7fa1e1c428/src/MobiDoc.cppmitrex_refsource_MISC
- github.com/sumatrapdfreader/sumatrapdf/commit/12b6887e9dfff874fe8749bab1bdc53d4ff075b3mitrex_refsource_MISC
- github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-5mwx-65x7-cffpmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.