CVE-2024-8820: 
PDF-XChange Editor vulnerability analysis and mitigation

PDF-XChange Editor contains an out-of-bounds read vulnerability in its U3D file parsing functionality. The vulnerability (CVE-2024-8820) was discovered and reported on May 19, 2024, and affects PDF-XChange Editor version 10.3.0.386 and earlier versions (ZDI Advisory).

The vulnerability stems from improper validation of user-supplied data during the parsing of U3D files, which can result in a read past the end of an allocated buffer. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (MEDIUM) by NIST with a vector of CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N, while Zero Day Initiative rates it at 3.3 (LOW) with a vector of CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N (NVD).

The vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. When exploited, this vulnerability could potentially be leveraged in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process (ZDI Advisory).

The vulnerability has been fixed in PDF-XChange Editor version 10.3.1.387. Users are advised to upgrade to this version or later to mitigate the vulnerability (ZDI Advisory).