Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
PDF delivery is network-reachable but requires user to open the file (UI:R); impact is limited to an application crash with no confidentiality or integrity effect (C:N/I:N/A:L).
Primary rating from Vendor (VulDB).
CVSS VectorVendor: VulDB
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A security flaw has been discovered in Investintech SlimPDFReader up to 2.0.14. Affected by this issue is the function SlimPDFReader!Investintech::PCV::TeighaDo+0x25cde0 of the file SlimPDFReader.exe of the component PDF File Handler. Performing a manipulation results in out-of-bounds read. It is possible to initiate the attack remotely. This vulnerability only affects products that are no longer supported by the maintainer.
AnalysisAI
Out-of-bounds read in Investintech SlimPDFReader through version 2.0.14 exposes users to application crashes when processing maliciously crafted PDF files, exploitable remotely with passive user interaction. The vulnerable function SlimPDFReader!Investintech::PCV::TeighaDo+0x25cde0 within SlimPDFReader.exe fails to validate buffer boundaries during PDF parsing, resulting in a low-severity availability impact (application crash/DoS) with no confirmed confidentiality or integrity effect despite the 'Information Disclosure' tag in source metadata. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to actively open a maliciously crafted PDF file using SlimPDFReader version 2.0.14 or earlier on a Windows system - user interaction (UI:P in CVSS 4.0) is a hard prerequisite and cannot be bypassed remotely without additional social engineering. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 5.3 (Medium) reflects a realistic threat profile: network-reachable (AV:N), low complexity (AC:L), no authentication (PR:N), but requiring passive user interaction (UI:P) and producing only low availability impact (VA:L) with no confidentiality or integrity consequences (VC:N/VI:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker embeds malformed PDF object structures with manipulated length or offset values into a crafted PDF file and delivers it to a target via phishing email or a malicious download link. When the victim opens the file in SlimPDFReader 2.0.14 or earlier, the `TeighaDo` PDF parsing function reads beyond its allocated buffer, triggering an access violation that crashes the application. … |
| Remediation | No vendor-released patch identified at time of analysis - the product is confirmed end-of-life and Investintech will not issue a fix. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Slimpdfreader
View allSame weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40019
GHSA-3pg9-gwgr-fmmw