CVE-2026-25880 in SumatraPDF
Summary
by MITRE • 02/10/2026
SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, the PDF reader allows execution of a malicious binary (explorer.exe) located in the same directory as the opened PDF when the user clicks File → “Show in folder”. This behavior leads to arbitrary code execution on the victim’s system with the privileges of the current user, without any warning or user interaction beyond the menu click.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/10/2026
CVE-2026-25880 represents a critical privilege escalation vulnerability in SumatraPDF versions 3.5.2 and earlier, where the application fails to properly validate file paths during the "Show in folder" functionality. This flaw resides in the application's handling of file system operations and demonstrates a classic path traversal vulnerability that allows attackers to execute arbitrary code through maliciously crafted file placements. The vulnerability specifically exploits the lack of proper sandboxing and privilege separation when the PDF reader attempts to launch explorer.exe from the same directory as the opened PDF document, creating a dangerous execution context that bypasses normal security boundaries. The flaw directly maps to CWE-78 and CWE-22, as it combines command injection with path manipulation vulnerabilities that enable unauthorized code execution. From an operational perspective, this vulnerability presents a severe risk to end-user systems because it requires no additional user interaction beyond a simple menu selection, making it particularly dangerous in phishing scenarios or when users unknowingly open malicious PDF files from untrusted sources. The attack vector operates through the Windows file association system where the application assumes that any executable in the same directory as the PDF is safe to execute, creating a dangerous trust relationship that violates fundamental security principles of least privilege and application sandboxing. The vulnerability aligns with ATT&CK technique T1204.002 (User Execution: Malicious File) and T1059.001 (Command and Scripting Interpreter: Visual Basic), as it leverages legitimate Windows functionality to execute malicious code while appearing to be normal application behavior. The impact extends beyond simple code execution to include potential privilege escalation scenarios where attackers can leverage the application's execution context to perform actions that would normally require elevated permissions. Organizations using SumatraPDF in enterprise environments face significant exposure risks as this vulnerability can be exploited through various attack vectors including email attachments, web downloads, or removable media. The lack of user warnings or confirmation prompts during the execution process means that victims are completely unaware of the malicious activity occurring on their systems, making detection and prevention particularly challenging. Security professionals should note that this vulnerability demonstrates the critical importance of proper input validation and privilege separation in document readers, as these applications often run with elevated privileges and handle untrusted content from various sources.
The technical implementation of this vulnerability exploits the application's failure to properly sanitize file paths when launching external processes through the Windows shell. When users select "Show in folder" from the File menu, SumatraPDF constructs a command line that directly references the PDF file location without proper validation of the contents of that directory. This creates a situation where a malicious attacker can place a specially crafted executable named explorer.exe in the same directory as a legitimate PDF document, causing the application to execute the malicious binary instead of the intended Windows explorer utility. The vulnerability demonstrates poor security practices in path resolution and process execution, where the application does not implement proper access controls or privilege separation mechanisms. The flaw is particularly concerning because it operates at the file system level where the application assumes that all executables in the same directory as the PDF are legitimate, violating fundamental security principles of file system isolation and execution context management. This vulnerability also highlights the importance of secure coding practices and the need for applications to properly validate all external inputs and file system operations. The attack requires minimal user interaction beyond the standard menu selection, making it highly effective in social engineering campaigns where users are tricked into opening malicious PDF files. From a defensive standpoint, this vulnerability underscores the necessity of maintaining updated software versions and implementing proper application whitelisting policies to prevent execution of unauthorized binaries in sensitive directories. The vulnerability's impact is amplified in environments where users have write access to directories containing PDF files, as attackers can simply place malicious executables in those locations to exploit the flaw. Organizations should consider implementing network-based detection mechanisms that monitor for unusual file execution patterns and ensure that all user-facing applications are regularly updated to address known vulnerabilities. The vulnerability also emphasizes the critical need for proper application sandboxing and privilege management, as the application should not be allowed to execute arbitrary binaries with elevated privileges without explicit user consent or proper validation mechanisms.