CVE-2026-23951 in SumatraPDF
Summary
by MITRE • 01/22/2026
SumatraPDF is a multi-format reader for Windows. All versions contain an off-by-one error in the validation code that only triggers with exactly 2 records, causing an integer underflow in the size calculation. This bug exists in PalmDbReader::GetRecord when opening a crafted Mobi file, resulting in an out-of-bounds heap read that crashes the app. There are no published fixes at the time of publication.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/23/2026
The vulnerability identified as CVE-2026-23951 affects SumatraPDF, a popular multi-format document reader for Windows platforms that supports various file types including mobi formats. This security flaw represents a critical integer underflow condition that manifests specifically when processing Palm database files containing exactly two records. The vulnerability resides within the PalmDbReader::GetRecord function, which is responsible for parsing and validating palm database structures during document opening operations. The precise triggering condition of exactly two records creates a unique exploitation scenario that bypasses normal validation mechanisms and leads to memory corruption.
The technical implementation of this vulnerability stems from an off-by-one error in the size calculation validation logic that governs how the application processes palm database records. When a maliciously crafted mobi file containing exactly two records is opened, the validation code fails to properly handle the boundary conditions, resulting in an integer underflow condition. This mathematical error occurs during the calculation of memory allocation sizes, where the subtraction operation produces a value that wraps around to a very large positive integer instead of the expected negative or zero value. The resulting memory layout corruption directly translates into an out-of-bounds heap read operation that attempts to access memory locations outside the allocated buffer boundaries.
The operational impact of this vulnerability extends beyond simple application crashes, representing a potential vector for more sophisticated attacks within the context of the software's execution environment. When the application encounters the crafted mobi file, the heap memory corruption triggers an immediate crash that terminates the SumatraPDF process. However, the underlying memory corruption condition could potentially be exploited to achieve arbitrary code execution if proper memory protection mechanisms are not in place. This vulnerability directly maps to CWE-129, which describes improper validation of array indices, and CWE-191, which covers integer underflow conditions. The attack surface is particularly concerning given that SumatraPDF is widely used for reading various document formats, making it a potentially attractive target for attackers seeking to exploit user trust in document readers.
The exploitation of this vulnerability requires careful crafting of a mobi file that specifically contains exactly two records in its palm database structure, making it a highly targeted attack vector. The lack of published fixes at the time of publication creates an extended window of exposure for users who may encounter such malicious documents through email attachments, web downloads, or other delivery mechanisms. Security practitioners should consider this vulnerability in the context of ATT&CK technique T1203, which covers exploitation of remote services, and T1059, which covers command and control communications. The vulnerability's impact is further amplified by the fact that it can be triggered through legitimate document opening operations without requiring special privileges or complex attack chains, making it particularly dangerous in enterprise environments where document readers are frequently used.
Organizations and individuals should immediately implement defensive measures including restricting document file type handling, implementing sandboxed execution environments for document processing, and monitoring for suspicious document access patterns. The vulnerability's specific triggering condition suggests that automated detection systems could potentially identify malicious files by examining palm database structures for exactly two records. Regular updates to SumatraPDF should be prioritized once patches become available, while temporary workarounds may include disabling mobi file support or implementing additional validation layers for document processing. Security monitoring should focus on detecting unusual application crashes or memory access patterns that could indicate exploitation attempts, particularly in environments where users frequently process external documents from untrusted sources.