CVE-2025-69627

HIGH

Nitro PDF Pro for Windows 14.41.1.4 - Use After Free

Title source: llm

Description

Nitro PDF Pro for Windows 14.41.1.4 contains a heap use-after-free vulnerability in the implementation of the JavaScript method this.mailDoc(). During execution, an internal XID object is allocated and then freed prematurely, after which the freed pointer is still passed into UI and logging helper functions. Because the freed memory region may contain unpredictable heap data or remnants of attacker-controlled JavaScript strings, downstream routines such as wcscmp() may process invalid or stale pointers. This can result in access violations and non-deterministic crashes.

References (2)

Core 2

Core References

http://nitro.com

https://jeroscope.com/advisories/2025/jero-2025-016/

Scores

CVSS v3 8.4

EPSS 0.0019

EPSS Percentile 8.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-416

Status published

Products (1)

gonitro/nitro_pdf_pro 14.41.1.4

Published Apr 13, 2026

Tracked Since Apr 13, 2026