CVE-2025-6657: 
PDF-XChange Editor vulnerability analysis and mitigation

PDF-XChange Editor contains an out-of-bounds read information disclosure vulnerability (CVE-2025-6657) that affects the PRC file parsing functionality. The vulnerability was discovered and reported through the Zero Day Initiative (ZDI-CAN-26732) and was publicly disclosed on June 25, 2025. This security flaw affects PDF-XChange Editor version 10.5.2.395 and requires user interaction to exploit (ZDI Advisory, NVD Entry).

The vulnerability stems from improper validation of user-supplied data during the parsing of PRC files, which can result in a read past the end of an allocated buffer. The issue has been assigned a CVSS v3.0 base score of 3.3 (LOW) with the vector string CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N, indicating local access is required and user interaction is necessary for exploitation (ZDI Advisory).

The vulnerability allows attackers to disclose sensitive information on affected installations of PDF-XChange Editor. When successfully exploited, this vulnerability could potentially be leveraged in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process (ZDI Advisory).

PDF-XChange has released an update to address this vulnerability. Users are advised to update to version 10.6.0.396, which was released on May 6, 2025 (Security Bulletin).