CVE-2026-23951

Published: Jan 22, 2026Modified: Feb 17, 2026

5.5

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Exploitability: 1.8 / Impact: 3.6

Source: security-advisories@github.com (Secondary)

Description

SumatraPDF is a multi-format reader for Windows. All versions contain an off-by-one error in the validation code that only triggers with exactly 2 records, causing an integer underflow in the size calculation. This bug exists in PalmDbReader::GetRecord when opening a crafted Mobi file, resulting in an out-of-bounds heap read that crashes the app. There are no published fixes at the time of publication.

Affected (1)

Products: Sumatrapdfreader: Sumatrapdf

Sumatrapdfreader

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Sumatrapdfreader Sumatrapdf	All versions

Related CWEs

Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

Integer Underflow (Wrap or Wraparound)

The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.

Off-by-one Error

A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.

References (2)

https://github.com/sumatrapdfreader/sumatrapdf/blob/master/src/PalmDbReader.cpp

Source: security-advisories@github.com

Product

https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-hj4w-c5x8-p2hv

Source: security-advisories@github.com

ExploitVendor Advisory

Timeline

No history available yet.