CVE-2026-25920 is a heap out-of-bounds read vulnerability identified in SumatraPDF, a lightweight multi-format document reader for Windows, affecting versions 3.5.2 and earlier. The vulnerability exists in the MOBI HuffDic decompressor component, specifically within the AddCdicData() function. This function performs a bounds check that only validates half the range of data that the DecodeOne() function actually accesses. As a result, when a specially crafted .mobi file is opened, the decompressor reads beyond the allocated CDIC dictionary buffer by nearly (1 << codeLength) bytes. This out-of-bounds read can lead to application instability and crashes, effectively causing a denial of service (DoS). The vulnerability does not allow for code execution or data leakage, as it only reads memory beyond the buffer without further control. Exploitation requires the victim to open a malicious .mobi file, meaning user interaction is necessary. The CVSS v3.1 base score is 5.5 (medium severity), reflecting local attack vector, low attack complexity, no privileges required, user interaction required, and impact limited to availability. No known exploits have been reported in the wild, and no official patches have been released at the time of this report. The vulnerability is classified under CWE-125 (Out-of-bounds Read), a common memory safety issue that can lead to crashes or information disclosure in other contexts. SumatraPDF’s popularity as a free, open-source document reader makes this vulnerability relevant to users relying on it for reading .mobi eBooks and documents on Windows platforms.

For European organizations, the primary impact of CVE-2026-25920 is the potential for denial of service due to application crashes when opening maliciously crafted .mobi files in SumatraPDF. This could disrupt workflows that rely on SumatraPDF for document reading, especially in environments where .mobi files are common, such as publishing houses, libraries, educational institutions, and legal firms. Although the vulnerability does not compromise confidentiality or integrity, repeated crashes could lead to productivity loss and user frustration. In environments where SumatraPDF is integrated into automated document processing pipelines, this vulnerability could be exploited to cause service interruptions. Since exploitation requires user interaction, phishing or social engineering campaigns could be used to deliver malicious .mobi files. The lack of known exploits reduces immediate risk, but organizations should not be complacent. The medium severity rating suggests that while the threat is not critical, it warrants timely attention to avoid potential operational disruptions.

European organizations should implement the following specific mitigation measures: 1) Immediately audit and identify all instances of SumatraPDF in use, focusing on versions 3.5.2 and earlier. 2) Restrict or disable the opening of .mobi files in SumatraPDF where possible, especially from untrusted sources. 3) Educate users about the risks of opening unsolicited or suspicious .mobi files, emphasizing caution with email attachments and downloads. 4) Employ endpoint protection solutions that can detect and block malformed .mobi files or monitor for abnormal SumatraPDF crashes. 5) Consider deploying application whitelisting or sandboxing for SumatraPDF to contain potential crashes and prevent escalation. 6) Monitor vendor channels and security advisories for the release of patches or updates addressing this vulnerability and apply them promptly. 7) Where feasible, use alternative PDF or eBook readers with a better security track record for handling .mobi files until a patch is available. 8) Implement network-level controls to filter or quarantine suspicious file types in email gateways and file sharing platforms. These steps go beyond generic advice by focusing on controlling the specific attack vector (.mobi files) and minimizing user exposure.