CVE-2026-23951
Integer Underflow in SumatraPDF PalmDbReader Causes Heap Read Crash
Publication date: 2026-01-22
Last updated on: 2026-02-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sumatrapdfreader | sumatrapdf | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-193 | A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value. |
| CWE-191 | The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result. |
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an integer underflow in SumatraPDF's PalmDbReader component, specifically in the function PdbReader::GetRecord. It occurs when opening a specially crafted Mobi file with exactly two records that have inverted offsets. Due to a flaw in the validation loop, these inverted offsets pass unchecked, causing the size calculation for a record to underflow and produce a very large value. This leads to an out-of-bounds heap read when the application tries to read data beyond the buffer, resulting in a crash. [2]
How can this vulnerability impact me? :
The vulnerability can cause SumatraPDF to crash (Denial of Service) when opening a maliciously crafted Mobi file. This results in a loss of availability of the application. There is no impact on confidentiality or integrity, but the crash disrupts normal use of the software. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying attempts to open specially crafted Mobi files with exactly 2 records having inverted offsets that trigger the integer underflow. Since the crash occurs when SumatraPDF opens such a file, monitoring for crashes or abnormal terminations of SumatraPDF when opening Mobi files is a key detection method. Additionally, you can use a Python script similar to the proof of concept that generates malformed Mobi files with inverted record offsets to test your system. There are no specific network commands provided, but monitoring application logs for crashes or using debugging tools to trace SumatraPDF's handling of Mobi files can help detect exploitation attempts. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding opening untrusted or suspicious Mobi files with SumatraPDF, especially those that might be crafted to exploit this vulnerability. Since there are no published fixes at the time of publication, users should exercise caution and consider disabling or restricting the use of SumatraPDF for Mobi files. Monitoring for application crashes and reporting them can help in early detection. Applying any future patches that fix the validation loop and add proper bounds checking in the affected functions should be done as soon as they become available. [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability causes a denial of service by crashing the SumatraPDF application when opening a crafted Mobi file. It does not impact confidentiality or integrity of data, only availability. Therefore, it does not directly affect compliance with standards like GDPR or HIPAA, which primarily focus on data protection and privacy rather than availability. However, availability issues could indirectly affect compliance if critical documents cannot be accessed. [2]