CVE-2025-0906: 
PDF-XChange Editor vulnerability analysis and mitigation

CVE-2025-0906 is a vulnerability discovered in PDF-XChange Editor affecting versions up to (excluding) 10.4.2.390. The vulnerability was initially reported on September 26, 2024, and publicly disclosed on January 31, 2025. This security flaw affects the JB2 file parsing functionality in PDF-XChange Editor, allowing remote attackers to disclose sensitive information on affected installations (ZDI Advisory, NVD).

The vulnerability stems from improper validation of user-supplied data during the parsing of JB2 files, which can result in a read past the end of an allocated buffer. The issue has been classified as CWE-125 (Out-of-bounds Read). The vulnerability has received varying CVSS scores: NIST assigned a CVSS v3.1 base score of 8.8 (HIGH) with vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, while Zero Day Initiative assigned a lower CVSS v3.0 score of 3.3 (LOW) with vector AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N (NVD, ZDI Advisory).

When successfully exploited, this vulnerability allows attackers to disclose sensitive information from affected PDF-XChange Editor installations. The vulnerability requires user interaction, specifically the target must visit a malicious page or open a malicious file. Additionally, attackers can potentially leverage this vulnerability in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process (ZDI Advisory).

The vulnerability has been fixed in PDF-XChange Editor version 10.4.2.390. Users are advised to upgrade to this version or later to mitigate the risk (ZDI Advisory).