EUVD-2025-19147CVSS VectorNVD
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionNVD
PDF-XChange Editor U3D File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of U3D files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26642.
AnalysisAI
CVE-2025-6645 is a use-after-free vulnerability in PDF-XChange Editor's U3D file parser that allows remote code execution with high severity (CVSS 7.8). The vulnerability affects PDF-XChange Editor across multiple versions when processing malicious U3D-embedded PDF files; attackers can execute arbitrary code in the application's process context, requiring only user interaction to open a malicious file or visit a compromised webpage. The vulnerability was previously tracked as ZDI-CAN-26642 and represents a critical remote code execution risk for users of this widely-used PDF editor.
Technical ContextAI
The vulnerability exists in PDF-XChange Editor's implementation of U3D (Universal 3D) file parsing, a standard format for embedding 3D objects within PDF documents (ISO/IEC 14496-17). The root cause is classified as CWE-416 (Use-After-Free), where the parser fails to validate object existence before performing operations on heap-allocated memory structures related to U3D model data. This type of memory corruption vulnerability occurs when code attempts to access previously freed memory, leading to potential control-flow hijacking or arbitrary code execution. The defect is in the object lifecycle management within the PDF-XChange Editor library responsible for deserializing and processing U3D embedded objects, likely in file parsing routines that construct 3D model structures without proper reference counting or existence validation checks.
RemediationAI
Immediate actions: (1) Consult Tracker Software Products security advisory for CVE-2025-6645 patch release (likely PDF-XChange Editor version 2024.x or later—specific build number requires vendor confirmation), (2) Update PDF-XChange Editor to latest patched version immediately, prioritizing enterprise deployments, (3) Until patch available: disable U3D support if possible via application settings, restrict opening of untrusted PDF files, and educate users against opening PDFs from unverified sources. Mitigation: (4) Deploy application whitelisting to restrict PDF-XChange Editor execution in high-security environments, (5) Use file scanning solutions that decompose and inspect embedded U3D objects in PDF submissions, (6) Monitor for suspicious U3D-embedded PDFs in email gateways. Workarounds: Run PDF-XChange Editor in sandboxed environment (e.g., Sandboxie, Windows Sandbox) pending patch availability. Vendor patch status: Contact Tracker Software Products or monitor https://www.tracker-software.com/security for patch release timeline and CVE bulletin.
Share
External POC / Exploit Code
Leaving vuln.today