CVE-2026-23951
Unknown Unknown - Not Provided
Integer Underflow in SumatraPDF PalmDbReader Causes Heap Read Crash

Publication date: 2026-01-22

Last updated on: 2026-02-17

Assigner: GitHub, Inc.

Description
SumatraPDF is a multi-format reader for Windows. All versions contain an off-by-one error in the validation code that only triggers with exactly 2 records, causing an integer underflow in the size calculation. This bug exists in PalmDbReader::GetRecord when opening a crafted Mobi file, resulting in an out-of-bounds heap read that crashes the app. There are no published fixes at the time of publication.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-22
Last Modified
2026-02-17
Generated
2026-06-16
AI Q&A
2026-01-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23951
EUVD
EUVD-2026-4205
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sumatrapdfreader sumatrapdf *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
CWE-191 The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
CWE-193 A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an integer underflow in SumatraPDF's PalmDbReader component, specifically in the function PdbReader::GetRecord. It occurs when opening a specially crafted Mobi file with exactly two records that have inverted offsets. Due to a flaw in the validation loop, these inverted offsets pass unchecked, causing the size calculation for a record to underflow and produce a very large value. This leads to an out-of-bounds heap read when the application tries to read data beyond the buffer, resulting in a crash. [2]

Impact Analysis

The vulnerability can cause SumatraPDF to crash (Denial of Service) when opening a maliciously crafted Mobi file. This results in a loss of availability of the application. There is no impact on confidentiality or integrity, but the crash disrupts normal use of the software. [2]

Detection Guidance

This vulnerability can be detected by identifying attempts to open specially crafted Mobi files with exactly 2 records having inverted offsets that trigger the integer underflow. Since the crash occurs when SumatraPDF opens such a file, monitoring for crashes or abnormal terminations of SumatraPDF when opening Mobi files is a key detection method. Additionally, you can use a Python script similar to the proof of concept that generates malformed Mobi files with inverted record offsets to test your system. There are no specific network commands provided, but monitoring application logs for crashes or using debugging tools to trace SumatraPDF's handling of Mobi files can help detect exploitation attempts. [2]

Mitigation Strategies

Immediate mitigation steps include avoiding opening untrusted or suspicious Mobi files with SumatraPDF, especially those that might be crafted to exploit this vulnerability. Since there are no published fixes at the time of publication, users should exercise caution and consider disabling or restricting the use of SumatraPDF for Mobi files. Monitoring for application crashes and reporting them can help in early detection. Applying any future patches that fix the validation loop and add proper bounds checking in the affected functions should be done as soon as they become available. [2]

Compliance Impact

This vulnerability causes a denial of service by crashing the SumatraPDF application when opening a crafted Mobi file. It does not impact confidentiality or integrity of data, only availability. Therefore, it does not directly affect compliance with standards like GDPR or HIPAA, which primarily focus on data protection and privacy rather than availability. However, availability issues could indirectly affect compliance if critical documents cannot be accessed. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23951. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart