CVE-2026-25961 - Vulnerability Details

- SumatraPDF Update MITM -> Arbitrary Code Execution

Description

SumatraPDF is a multi-format reader for Windows. In 3.5.0 through 3.5.2, SumatraPDF's update mechanism disables TLS hostname verification (INTERNET_FLAG_IGNORE_CERT_CN_INVALID) and executes installers without signature checks. A network attacker with any valid TLS certificate (e.g., Let's Encrypt) can intercept the update check request, inject a malicious installer URL, and achieve arbitrary code execution.

Published: 2026-02-09

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

SumatraPDF’s update system, between versions 3.5.0 and 3.5.2, turns off TLS hostname verification and installs software without verifying signatures. This creates a pathway for an attacker to serve a malicious installer during a routine update check, allowing them to run arbitrary code on the target machine. The vulnerability is a classic example of certificate validation failure combined with missing signature verification; the result is a full compromise of the victim system.

Affected Systems

The affected product is SumatraPDF Reader, versions 3.5.0 through 3.5.2, used on Windows platforms. No other vendors or products are listed.

Risk and Exploitability

The CVSS score of 7.5 marks the flaw as high severity, while the EPSS score of less than 1% indicates a low likelihood of exploitation at present. The vulnerability is not identified in the CISA KEV catalog, suggesting no documented public exploitation. The attack proceeds over the network: a malicious actor intercepts the HTTPS update request, substitutes a malicious installer URL, and gains code execution. This requires network presence and control of the TLS certificate chain, which can be obtained with a legitimate certificate such as Let’s Encrypt. Although rare, the potential impact is complete loss of system integrity.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

sumatrapdfreader

sumatrapdf

affected

Version	Status	Constraints
`>= 3.5.0, <= 3.5.2`	affected	—

Configuration 1 [-]

cpe:2.3:a:sumatrapdfreader:sumatrapdf:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Sumatrapdfreader

Sumatrapdf

—

Version	Status	Scheme	Platform
`[3.5.0,3.5.2]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Install SumatraPDF version 3.5.3 or later, which restores hostname verification and enforces installer signature checks.
Disable the automatic update feature or configure the update client to accept only signed installers and reject unsigned downloads.
Block or filter update traffic at the network perimeter to prevent interception of the TLS session used for updating SumatraPDF.

Generated by OpenCVE AI on April 17, 2026 at 21:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00025.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-xpm2-rr5m-x96q

History

Fri, 20 Feb 2026 20:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:sumatrapdfreader:sumatrapdf::::::::

Tue, 10 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 10 Feb 2026 12:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sumatrapdfreader Sumatrapdfreader sumatrapdf
Vendors & Products		Sumatrapdfreader Sumatrapdfreader sumatrapdf

Mon, 09 Feb 2026 21:45:00 +0000

Type	Values Removed	Values Added
Description		SumatraPDF is a multi-format reader for Windows. In 3.5.0 through 3.5.2, SumatraPDF's update mechanism disables TLS hostname verification (INTERNET_FLAG_IGNORE_CERT_CN_INVALID) and executes installers without signature checks. A network attacker with any valid TLS certificate (e.g., Let's Encrypt) can intercept the update check request, inject a malicious installer URL, and achieve arbitrary code execution.
Title		SumatraPDF Update MITM -> Arbitrary Code Execution
Weaknesses		CWE-295 CWE-494
References		https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-xpm2-rr5m-x96q
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}`

Subscriptions

Sumatrapdfreader Sumatrapdf

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-02-09T21:34:05.203Z

Updated: 2026-02-10T15:57:28.303Z

Reserved: 2026-02-09T17:13:54.066Z

Link: CVE-2026-25961

Vulnrichment

Updated: 2026-02-10T15:32:02.622Z

NVD

Status : Analyzed

Published: 2026-02-09T22:16:04.750

Modified: 2026-02-20T20:22:32.817

Link: CVE-2026-25961

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T21:15:27Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object