PatchSiren cyber security CVE debrief

CVE-2016-8709 Gonitro CVE debrief

CVE-2016-8709 is a high-severity memory corruption vulnerability in Nitro Pro 10's PDF parsing functionality. According to NVD, a specially crafted PDF file can trigger a remote out-of-bounds write that may lead to memory corruption. The NVD CVSS v3.1 vector is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating user interaction is required and the impact can be severe once triggered. NVD lists affected Nitro PDF Pro versions through 10.5.9.9.

Vendor: Gonitro
Product: CVE-2016-8709
CVSS: HIGH 7.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-10
Original CVE updated: 2026-05-13
Advisory published: 2017-02-10
Advisory updated: 2026-05-13

Who should care

Security teams, endpoint administrators, and users of Nitro Pro / Nitro PDF Pro who open untrusted PDF files should prioritize this issue. It is especially relevant for organizations that handle email attachments, downloaded documents, or external PDFs on Windows endpoints.

Technical summary

NVD classifies the weakness as CWE-787 (out-of-bounds write). The vulnerability is in PDF parsing and is triggered by a specially crafted PDF, with user interaction required to open or process the file. The NVD CPE range marks gonitro:nitro_pdf_pro versions up to 10.5.9.9 as vulnerable. The CVSS v3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H reflects a local, user-assisted attack path with potentially high confidentiality, integrity, and availability impact.

Defensive priority

High. The issue is scored 7.8 (HIGH) and involves memory corruption in a document parser, which is a common path to application crashes or more serious compromise in affected environments. Because exploitation requires a victim to open a crafted PDF, exposure can be reduced quickly through patching and document-handling controls.

Recommended defensive actions

Identify systems running Nitro Pro / Nitro PDF Pro and confirm whether any are at or below version 10.5.9.9.
Upgrade to a vendor-fixed release newer than the vulnerable range shown in NVD.
Treat untrusted PDF files as high-risk input and restrict opening unknown attachments or downloads.
Use email and web filtering to reduce delivery of suspicious PDF attachments.
Where possible, open external documents in isolated or sandboxed environments until affected systems are remediated.
Validate endpoint protection and application controls on systems that commonly process external PDFs.

Evidence notes

NVD states the issue is a remote out-of-bounds write / memory corruption vulnerability in Nitro Pro 10 PDF parsing and that a specially crafted PDF can trigger it. The NVD record assigns CWE-787 and CVSS v3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. NVD's CPE criteria mark gonitro:nitro_pdf_pro versions through 10.5.9.9 as vulnerable. NVD references a Talos technical advisory URL and a SecurityFocus BID entry; the SecurityFocus link is marked broken in the supplied corpus.

Official resources

CVE-2016-8709 CVE record
CVE.org
CVE-2016-8709 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Broken Link, Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Exploit, Technical Description, Third Party Advisory

CVE published on 2017-02-10. The supplied NVD source record was last modified on 2026-05-13.