CVE-2024-8832: 
PDF-XChange Editor vulnerability analysis and mitigation

CVE-2024-8832 is an information disclosure vulnerability affecting PDF-XChange Editor. The vulnerability was discovered and reported on June 6, 2024, and publicly disclosed on September 17, 2024. This security flaw affects installations of PDF-XChange Editor version 10.3.0.386 and earlier (ZDI Advisory).

The vulnerability exists within the parsing of EMF (Enhanced Metafile) files and stems from insufficient validation of user-supplied data. Specifically, the flaw results in an out-of-bounds read past the end of an allocated object. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 MEDIUM by NIST (Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) and 3.3 LOW by Zero Day Initiative (Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N). The vulnerability is classified as CWE-125 (Out-of-bounds Read) (NVD).

This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. The impact is primarily limited to information disclosure, though it could potentially be leveraged in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process (ZDI Advisory).

The vulnerability has been fixed in PDF-XChange Editor version 10.3.1.387. Users are advised to upgrade to this version or later to mitigate the vulnerability (ZDI Advisory).

The vulnerability was discovered and reported by security researcher Rocco Calvi (@TecR0c) with TecSecurity through the Zero Day Initiative program (ZDI Advisory).