Description
A NULL pointer dereference in Nitro PDF Pro for Windows v14.41.1.4 allows attackers to cause a Denial of Service (DoS) via a crafted XFA packet.
Published: 2026-04-13
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

This vulnerability is a NULL pointer dereference in Nitro PDF Pro for Windows that can be triggered by a specially crafted XFA packet, allowing an attacker to cause the application to crash and deny service. The weakness is a classic null pointer dereference leading to failure in the PDF processing engine.

Affected Systems

Nitro PDF Pro for Windows version 14.41.1.4 is directly affected.

Risk and Exploitability

The CVSS score indicates medium to high severity with a 7.5 rating. The exploit probability is unknown as EPSS data is not available, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is local or privileged, inferred from the need for a crafted PDF file to be processed by the application; it is not stated whether remote or network exploitation is possible.

Generated by OpenCVE AI on April 13, 2026 at 20:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched version of Nitro PDF Pro
  • If no patch is available, avoid opening unknown or untrusted PDF files
  • Enable or configure the application to disable XFA processing if supported

Generated by OpenCVE AI on April 13, 2026 at 20:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft
Microsoft windows
CPEs cpe:2.3:a:gonitro:nitro_pdf_pro:14.41.1.4:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title Null Pointer Dereference in Nitro PDF Pro Leads to DoS via XFA Packet

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Gonitro
Gonitro nitro Pdf Pro
Vendors & Products Gonitro
Gonitro nitro Pdf Pro

Mon, 13 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description A NULL pointer dereference in Nitro PDF Pro for Windows v14.41.1.4 allows attackers to cause a Denial of Service (DoS) via a crafted XFA packet.
References

Subscriptions

Gonitro Nitro Pdf Pro
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-13T19:00:25.873Z

Reserved: 2025-12-08T00:00:00.000Z

Link: CVE-2025-66769

cve-icon Vulnrichment

Updated: 2026-04-13T19:00:22.107Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-13T16:16:24.620

Modified: 2026-04-23T16:51:39.057

Link: CVE-2025-66769

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:35:51Z

Weaknesses