CVE-2026-25880
Published: 09 February 2026
Summary
CVE-2026-25880 is a high-severity Untrusted Search Path (CWE-426) vulnerability in Sumatrapdfreader Sumatrapdf. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Search Order Hijacking (T1574.008); ranked at the 6.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-10 (Software Usage Restrictions) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly addresses the untrusted search path vulnerability in SumatraPDF by applying patches to versions 3.5.2 and earlier, preventing exploitation via malicious binaries.
Software usage restrictions with deny-all, permit-by-exception whitelisting prevent execution of unauthorized binaries like the malicious explorer.exe placed in the PDF directory.
Malicious code protection mechanisms scan and block execution of the malicious binary masquerading as explorer.exe when the 'Show in folder' feature is invoked.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The untrusted search path (CWE-426) in SumatraPDF directly enables path interception by causing the application to execute a malicious executable (e.g., explorer.exe) from the PDF's current directory instead of the legitimate system binary, matching T1574.008 Path Interception by Search Order Hijacking.
NVD Description
SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, the PDF reader allows execution of a malicious binary (explorer.exe) located in the same directory as the opened PDF when the user clicks File → “Show in folder”. This…
more
behavior leads to arbitrary code execution on the victim’s system with the privileges of the current user, without any warning or user interaction beyond the menu click.
Deeper analysisAI
CVE-2026-25880 affects SumatraPDF, a multi-format reader for Windows, in versions 3.5.2 and earlier. The vulnerability arises when the PDF reader executes a malicious binary, such as explorer.exe, located in the same directory as the opened PDF file upon the user selecting File → “Show in folder”. This flaw, classified under CWE-426 (Untrusted Search Path), enables arbitrary code execution on the victim's system with the privileges of the current user and no additional warnings or interaction beyond the menu selection. The issue carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and was published on 2026-02-09.
An attacker with local access to the victim's system can exploit this vulnerability by placing a malicious executable named explorer.exe in the same directory as a PDF file designed to entice the user. If the victim opens the PDF in SumatraPDF and clicks File → “Show in folder”, the malicious binary executes automatically, granting the attacker high-impact control over confidentiality, integrity, and availability. No special privileges are required from the attacker, though the exploit relies on low-complexity conditions and user interaction via the menu click.
Mitigation details and patches are outlined in the GitHub security advisory at https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-5x4h-247q-px37. Security practitioners should advise users to update SumatraPDF beyond version 3.5.2 and avoid opening untrusted PDFs from potentially compromised directories.
Details
- CWE(s)