CVE-2026-25961
Published: 09 February 2026
Summary
CVE-2026-25961 is a high-severity Improper Certificate Validation (CWE-295) vulnerability in Sumatrapdfreader Sumatrapdf. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Ingress Tool Transfer (T1105); ranked at the 28.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Component authenticity requires verifying origin/integrity of acquired firmware or software, directly preventing inclusion of code without integrity checks.
Policies can require integrity verification of software prior to installation, reducing risks from unverified downloads.
Blocks installation of components lacking a valid signature, mitigating download or installation of code without integrity checks.
Acquisition and maintenance portions of the strategy drive requirements for integrity verification of downloaded or supplied code.
Mandating integrity control and approved-only changes during development prevents incorporation of code or components lacking integrity validation.
Supply chain protection requires integrity verification of acquired components, directly reducing insertion or tampering of malicious code during delivery.
Reduces exposure to code obtained without integrity verification by requiring assurance processes that confirm authenticity and absence of tampering.
Tamper resistance and detection commonly include integrity verification of code and firmware obtained from external sources.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in update mechanism (disabled TLS hostname verification + missing installer signature checks) directly enables MITM attacker to deliver and trigger execution of arbitrary code via malicious update payload.
NVD Description
SumatraPDF is a multi-format reader for Windows. In 3.5.0 through 3.5.2, SumatraPDF's update mechanism disables TLS hostname verification (INTERNET_FLAG_IGNORE_CERT_CN_INVALID) and executes installers without signature checks. A network attacker with any valid TLS certificate (e.g., Let's Encrypt) can intercept the update…
more
check request, inject a malicious installer URL, and achieve arbitrary code execution.
Deeper analysisAI
CVE-2026-25961 affects SumatraPDF, a multi-format reader for Windows, specifically versions 3.5.0 through 3.5.2. The vulnerability lies in the application's update mechanism, which disables TLS hostname verification by using the INTERNET_FLAG_IGNORE_CERT_CN_INVALID flag and executes downloaded installers without performing signature checks. This issue, published on 2026-02-09, is associated with CWE-295 (Improper Certificate Validation) and CWE-494 (Download of Code Without Integrity Check), earning a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H).
A network-based attacker positioned to perform a man-in-the-middle interception can exploit this vulnerability if they possess any valid TLS certificate, such as one issued by Let's Encrypt. By intercepting the update check request from a victim user, the attacker can inject a malicious installer URL. If the user interacts with the update process (UI:R), the application will download and execute the malicious installer, resulting in arbitrary code execution on the victim's Windows system with the user's privileges.
Mitigation details and patches are outlined in the official GitHub security advisory at https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-xpm2-rr5m-x96q.
Details
- CWE(s)