CVE-2026-25961 HIGH

CVE-2026-25961: SumatraPDF Update MITM -> Arbitrary Code Execution

Vendor Sumatrapdfreader
Product sumatrapdf
Weakness CWE-295
Published February 9, 2026
Last update February 10, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

SumatraPDF is a multi-format reader for Windows. In 3.5.0 through 3.5.2, SumatraPDF's update mechanism disables TLS hostname verification (INTERNET_FLAG_IGNORE_CERT_CN_INVALID) and executes installers without signature checks. A network attacker with any valid TLS certificate (e.g., Let's Encrypt) can intercept the update check request, inject a malicious installer URL, and achieve arbitrary code execution.

Key dates

02Disclosure timeline

February 9, 2026 CVE published
February 10, 2026 Record updated