CVE-2025-6643: 
PDF-XChange Editor vulnerability analysis and mitigation

CVE-2025-6643 is a vulnerability discovered in PDF-XChange Editor that affects the parsing of U3D files. The vulnerability was discovered on March 7, 2025, and publicly disclosed on June 25, 2025. This security flaw allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor version 10.5.2.395 and earlier (ZDI Advisory, Security Bulletin).

The vulnerability stems from improper validation of user-supplied data during the parsing of U3D files, resulting in an out-of-bounds read past the end of an allocated object. The vulnerability has been assigned a CVSS v3.0 score of 3.3 (Low) with the vector string CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N, indicating local access, low attack complexity, no privileges required, and user interaction required (ZDI Advisory).

When exploited, this vulnerability enables attackers to disclose sensitive information from affected PDF-XChange Editor installations. The vulnerability can potentially be leveraged in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process (ZDI Advisory).

PDF-XChange has released version 10.6.0.396 to address this vulnerability. Users are advised to update their installations to the latest version to mitigate the security risk (Security Bulletin).