CVE-2026-25920

Name of the Vulnerable Software and Affected Versions SumatraPDF versions 3.5.2 and earlier

Description A heap out-of-bounds read issue exists in SumatraPDF's MOBI HuffDic decompressor. The bounds check within the AddCdicData() function does not validate the complete range accessed by the DecodeOne() function. Processing a specially crafted MOBI file can result in reading approximately (1 << codeLength) bytes beyond the CDIC dictionary buffer, potentially causing a crash.

Recommendations Update SumatraPDF to a version later than 3.5.2.