CVE-2025-6644: 
PDF-XChange Editor vulnerability analysis and mitigation

PDF-XChange Editor contains a Use-After-Free Remote Code Execution vulnerability (CVE-2025-6644) discovered and disclosed on June 25, 2025. The vulnerability affects PDF-XChange Editor version 10.5.2.395 and related products, specifically in the parsing of U3D files. This security flaw requires user interaction, where the target must visit a malicious page or open a malicious file to be exploited (ZDI Advisory, Vendor Advisory).

The vulnerability stems from the lack of proper validation when handling U3D files, specifically failing to validate the existence of an object prior to performing operations on it, leading to a Use-After-Free condition. The vulnerability has been assigned a CVSS v3.0 base score of 7.8 (High) with the vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. It is classified under CWE-416 (Use After Free) (ZDI Advisory).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process on affected installations of PDF-XChange Editor. The high CVSS score of 7.8 indicates significant potential impact on the confidentiality, integrity, and availability of the affected system (ZDI Advisory).

PDF-XChange has released version 10.6.0.396 to address this vulnerability along with several other security issues. Users are advised to update their installations to the latest version available through the official security bulletin (Vendor Advisory).