CVE-2024-8816: 
PDF-XChange Editor vulnerability analysis and mitigation

PDF-XChange Editor contains a use-after-free vulnerability (CVE-2024-8816) that was discovered in the parsing of U3D files. The vulnerability was reported on May 19, 2024, and publicly disclosed on September 17, 2024. This vulnerability affects PDF-XChange Editor installations prior to version 10.3.1.387 (ZDI Advisory).

The vulnerability stems from the lack of validation when checking the existence of an object prior to performing operations on it during U3D file parsing. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 MEDIUM (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) by NIST NVD, while Zero Day Initiative rates it as 3.3 LOW (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N). The vulnerability is classified as CWE-416 (Use After Free) (NVD).

The vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. When exploited, this vulnerability could potentially be leveraged in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process (ZDI Advisory).

The vulnerability has been fixed in PDF-XChange Editor version 10.3.1.387. Users are advised to upgrade to this version or later to mitigate the vulnerability (ZDI Advisory).