Unrated severityNVD Advisory· Published Feb 9, 2026· Updated Feb 11, 2026

SumatraPDF has a heap out-of-bounds read in MOBI HuffDic decompressor

CVE-2026-25920

Description

SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, a heap out-of-bounds read vulnerability exists in SumatraPDF's MOBI HuffDic decompressor. The bounds check in AddCdicData() only validates half the range that DecodeOne() actually accesses. Opening a crafted .mobi file can read nearly (1 << codeLength) bytes beyond the CDIC dictionary buffer, leading to a crash.

Affected products

Sumatrapdfreader/Sumatrapdfv5
Range: <= 3.5.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/sumatrapdfreader/sumatrapdf/blob/916392f94bc34e24f3c3286893ac6d7fa1e1c428/src/MobiDoc.cppmitrex_refsource_MISC
github.com/sumatrapdfreader/sumatrapdf/commit/12b6887e9dfff874fe8749bab1bdc53d4ff075b3mitrex_refsource_MISC
github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-5mwx-65x7-cffpmitrex_refsource_CONFIRM

News mentions

Tropic Trooper Uses Trojanized SumatraPDF and GitHub to Deploy AdaptixC2
The Hacker News · Apr 24, 2026

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000