CVE-2026-23951 Overview
CVE-2026-23951 is an out-of-bounds read vulnerability affecting SumatraPDF, a popular multi-format document reader for Windows. The vulnerability exists in the PalmDbReader::GetRecord function and is triggered when opening a specially crafted Mobi file. An off-by-one error in the validation code causes an integer underflow in the size calculation when exactly 2 records are present, resulting in an out-of-bounds heap read that crashes the application.
Critical Impact
Opening a maliciously crafted Mobi file can cause SumatraPDF to crash due to an out-of-bounds heap read, resulting in denial of service.
Affected Products
- SumatraPDF (all versions)
- Windows systems running SumatraPDF with Mobi file support
Discovery Timeline
- 2026-01-22 - CVE-2026-23951 published to NVD
- 2026-01-22 - Last updated in NVD database
Technical Details for CVE-2026-23951
Vulnerability Analysis
This vulnerability is classified as CWE-125 (Out-of-bounds Read). The flaw resides in the PalmDbReader::GetRecord function within the PalmDbReader.cpp source file. When processing a Mobi file containing exactly 2 records, an off-by-one error in the validation logic causes the size calculation to underflow. This integer underflow results in an incorrect memory access, leading to a heap-based out-of-bounds read.
The local attack vector requires user interaction—specifically, a victim must open a maliciously crafted Mobi file. While this vulnerability does not allow code execution or data modification, it can reliably crash the SumatraPDF application, causing a denial of service condition.
Root Cause
The root cause is an off-by-one error in the boundary validation code within the Palm database record parsing logic. When the record count equals exactly 2, the validation check fails to properly account for the boundary condition, causing an integer underflow during the size calculation. This underflowed value is then used to read memory beyond the allocated heap buffer.
Attack Vector
The attack requires local access and user interaction. An attacker must craft a malicious Mobi file with exactly 2 records designed to trigger the off-by-one condition in the validation code. The victim must then open this file using SumatraPDF.
The exploitation flow is as follows:
- Attacker creates a specially crafted Mobi file with exactly 2 records
- The file is delivered to the victim via email, download, or other means
- Victim opens the malicious Mobi file with SumatraPDF
- The PalmDbReader::GetRecord function processes the file
- The off-by-one validation error triggers an integer underflow
- An out-of-bounds heap read occurs, crashing the application
For technical implementation details, refer to the GitHub source code file and the GitHub Security Advisory.
Detection Methods for CVE-2026-23951
Indicators of Compromise
- SumatraPDF crash events when opening Mobi files
- Application crash dumps showing memory access violations in PalmDbReader::GetRecord
- Windows Event Log entries indicating SumatraPDF terminated unexpectedly
- Suspicious Mobi files with unusual record counts (exactly 2 records)
Detection Strategies
- Monitor for repeated SumatraPDF crashes when users open Mobi format files
- Implement endpoint detection rules to identify application crashes with heap read violations
- Analyze crash dumps for stack traces containing PalmDbReader::GetRecord or PalmDbReader.cpp
- Deploy file inspection rules to flag Mobi files with abnormal record structures
Monitoring Recommendations
- Enable crash reporting and monitoring for SumatraPDF across managed endpoints
- Configure Windows Error Reporting (WER) to capture crash dumps for analysis
- Implement user behavior analytics to detect patterns of document-based attacks
- Monitor file download activity for suspicious Mobi files from untrusted sources
How to Mitigate CVE-2026-23951
Immediate Actions Required
- Consider temporarily restricting or blocking Mobi file associations with SumatraPDF until a patch is available
- Educate users about the risks of opening Mobi files from untrusted sources
- Implement endpoint protection to scan files before they are opened
- Monitor for security updates from the SumatraPDF project
Patch Information
There are no published fixes available at the time of publication. Users should monitor the SumatraPDF GitHub repository and the security advisory for updates regarding patches.
Workarounds
- Avoid opening Mobi files from untrusted or unknown sources
- Use alternative document readers for Mobi files until a patch is released
- Implement file type blocking policies to prevent Mobi files from reaching end users
- Deploy application whitelisting to control which applications can open specific file types
# Example: Windows file association removal for Mobi files (PowerShell)
# Remove SumatraPDF as the default handler for .mobi files
Remove-Item -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mobi" -Recurse -Force
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
