DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-3779: CVE-2026-3779: Use-After-Free in Foxit PDF Calculate Array Leads to Arbitrary Code Execution

#security #cve #cybersecurity

CVE-2026-3779: Use-After-Free in Foxit PDF Calculate Array Leads to Arbitrary Code Execution

Vulnerability ID: CVE-2026-3779
CVSS Score: 7.8
Published: 2026-04-01

Foxit PDF Editor and PDF Reader contain a critical use-after-free vulnerability within the list box calculate array logic. This flaw allows an attacker to execute arbitrary code by manipulating the lifecycle of document form fields and pages via crafted AcroJS scripts.

TL;DR

A use-after-free flaw in Foxit's form calculation engine enables arbitrary code execution via malicious PDFs. The application fails to clear stale pointers when pages or form elements are deleted.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Type: Use After Free (CWE-416)
  • CVSS Score: 7.8 (High)
  • Attack Vector: Local (User Interaction Required)
  • Exploit Status: Proof of Concept (PoC)
  • CISA KEV: Not Listed
  • EPSS Score: 0.00019 (4.93%)

Affected Systems

  • Foxit PDF Editor
  • Foxit PDF Reader
  • Foxit PDF Editor: <= 2025.3 (Fixed in: 2025.3 Update)
  • Foxit PDF Editor: <= 14.0.2 (Fixed in: 14.0.2 Update)
  • Foxit PDF Editor: <= 13.2.2 (Fixed in: 13.2.2 Update)
  • Foxit PDF Reader: <= 2025.3 (Fixed in: 2025.3 Update)

Mitigation Strategies

  • Update Foxit PDF Editor and Reader to patched versions immediately.
  • Disable JavaScript functionality within Foxit Preferences if form calculation is not strictly required.
  • Enable 'Safe Reading Mode' to block untrusted active content execution.

Remediation Steps:

  1. Identify all endpoints running Foxit PDF Editor versions 2025.3, 14.0.2, 13.2.2 or earlier.
  2. Identify all endpoints running Foxit PDF Reader versions 2025.3 or earlier.
  3. Deploy Foxit software updates via enterprise patch management tools.
  4. Deploy a Group Policy Object (GPO) to disable JavaScript in Foxit products as a temporary workaround for unpatched systems.
  5. Monitor EDR telemetry for anomalous child processes originating from Foxit binaries.

References

Read the full report for CVE-2026-3779 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)