Hard drive destruction services specialists report finding at least five vulnerabilities in Nitro Pro, a popular tool for creating and editing documents in PDF format. According to the report, exploiting these flaws would allow buffer overflow and out of bonds writing attacks, among others.

Below are brief reviews of the reported vulnerabilities, in addition to their respective identification keys and scores according to the Common Vulnerability Scoring System (CVSS).

CVE-2020-6146: This flaw exists due to a boundary error in rendering functionality when drawing the content of a page and selecting the color of the drawing of an “ICC-based” color space. Remote attackers can trick the target user into loading a specially designed document, triggering a buffer overflow that would lead to arbitrary code execution.

The flaw received a score of 7.7/10 and its operation could compromise the affected system completely, as mentioned by the experts in hard drive destruction services.

CVE-2020-6116: An integer overflow in Nitro Pro rendering functionality would allow remote threat actors to trick the victim into uploading a specially designed document, triggering an integer overflow, and running arbitrary code on their system.

The vulnerability received a score of 7.7/10.

CVE-2020-6115: A use-after-free error in the cross-reference table repair feature would allow malicious hackers to send the victim a specially designed document, executing arbitrary code on the target system.

According to hard drive destruction services specialists, the flaw received a score of 7.7/10 on the CVSS scale and its operation would allow full compromise of the affected system.

CVE-2020-6113: This vulnerability exists due to an integer overflow in object flow analysis functionality, which could be exploited by threat actors to deceive the victim, sending a specially designed document that triggers an integer overflow and achieve arbitrary code execution.

The vulnerability received a score of 7.7/10.

CVE-2020-6112: This flaw exists due to a boundary error when processing an unverified entry in the JPEG2000 band decoding function when decoding subsamples.

Remote threat actors might apparently use a specially designed image to trigger out-of-bounds writing and execute arbitrary code on the affected system.

Reported flaws are present in the following versions of Nitro Pro:,

Although vulnerabilities can be exploited by unauthenticated threat actors, specialists mention that no exploit attempts have been detected in real-world scenarios.

Updates have already been released, so Nitro Pro recommends users update immediately.