Skip to main content

Foxit Pdf Editor CVE-2026-3775

| EUVDEUVD-2026-17751 HIGH
Uncontrolled Search Path Element (CWE-427)
2026-04-01 Foxit GHSA-j35c-qjxf-46vc
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Apr 01, 2026 - 01:45 euvd
EUVD-2026-17751
Analysis Generated
Apr 01, 2026 - 01:45 vuln.today
CVE Published
Apr 01, 2026 - 01:40 nvd
HIGH 7.8

DescriptionCVE.org

The application's update service, when checking for updates, loads certain system libraries from a search path that includes directories writable by low‑privileged users and is not strictly restricted to trusted system locations. Because these libraries may be resolved and loaded from user‑writable locations, a local attacker can place a malicious library there and have it loaded with SYSTEM privileges, resulting in local privilege escalation and arbitrary code execution.

AnalysisAI

DLL search path hijacking in Foxit PDF Editor and Foxit PDF Reader update services enables local privilege escalation to SYSTEM. Low-privileged authenticated users can plant malicious libraries in writable directories that are resolved during update checks, achieving arbitrary code execution with elevated privileges. CVSS 7.8 (High) with low attack complexity. No public exploit identified at time of analysis, EPSS data not provided.

Technical ContextAI

This vulnerability exploits CWE-427 (Uncontrolled Search Path Element), commonly known as DLL hijacking or binary planting on Windows systems. The Foxit update service fails to implement secure DLL loading practices, specifically not restricting library resolution to trusted system directories or using mechanisms like SetDllDirectory() or SafeDllSearchMode. When the update service runs with SYSTEM privileges and checks for updates, it searches for required DLLs through a path that includes user-writable locations (such as %TEMP%, current working directory, or application directories with lax permissions). The Windows loader resolves libraries in search order, and if a malicious DLL is placed in an earlier-searched writable location with the correct name, it will be loaded and executed in the security context of the update service. The affected products per CPE data are Foxit PDF Editor (cpe:2.3:a:foxit_software_inc.:foxit_pdf_editor) and Foxit PDF Reader (cpe:2.3:a:foxit_software_inc.:foxit_pdf_reader), both widely-deployed PDF manipulation applications. This class of vulnerability is persistent in Windows applications that perform privileged operations without hardening DLL loading behavior.

RemediationAI

Organizations should immediately review the Foxit Security Bulletins page at https://www.foxit.com/support/security-bulletins.html for patch availability and specific remediation guidance. Patch available per vendor advisory; apply the latest security updates for Foxit PDF Editor and Foxit PDF Reader as released by Foxit Software. Until patching is complete, implement defense-in-depth controls including removing write permissions from non-administrative users on Foxit installation directories, enforcing application whitelisting to prevent unauthorized DLL execution, and monitoring for suspicious library loading behavior via EDR solutions. Consider temporarily disabling automatic update functionality if the service cannot be secured, though this creates operational security debt. In high-security environments, restrict Foxit product deployment to single-user workstations with full disk encryption and run endpoint privilege management solutions to prevent initial low-privileged access that enables exploitation. Validate post-patch that update services no longer load libraries from user-writable paths through process monitoring tools like Process Monitor or Sysmon event ID 7 (image loaded) analysis.

CVE-2026-57240 HIGH
7.8 Jul 08

Use-after-free memory corruption in Foxit PDF Reader and Foxit PDF Editor lets a crafted PDF containing JavaScript trigg

CVE-2026-13126 HIGH
7.8 Jul 08

Use-after-free memory corruption in Foxit PDF Reader and Foxit PDF Editor (versions 2026.1.1/14.0.4 and earlier) allows

CVE-2026-13127 HIGH
7.8 Jul 08

Denial-of-service (and potential memory-corruption) in Foxit PDF Editor (≤14.0.4 / ≤13.2.4 / ≤2026.1.1) and Foxit PDF Re

CVE-2026-13128 HIGH
7.8 Jul 08

Denial-of-service in Foxit PDF Reader and Foxit PDF Editor (versions 2026.1.1 and earlier) occurs when a victim opens a

CVE-2026-13129 HIGH
7.8 Jul 08

Memory corruption in Foxit PDF Reader and Foxit PDF Editor (versions 2026.1.1, 13.2.4, 14.0.4 and earlier) allows attack

CVE-2026-57238 HIGH
7.8 Jul 08

Memory corruption in Foxit PDF Reader and Foxit PDF Editor allows a crafted PDF to trigger a use-after-free through the

CVE-2026-57242 HIGH
7.8 Jul 08

Use-after-free memory corruption in Foxit PDF Reader (2026.1.1 and earlier) and Foxit PDF Editor (through 14.0.4, 13.2.4

CVE-2026-57245 HIGH
7.8 Jul 08

Memory corruption in Foxit PDF Reader (≤2026.1.1) and Foxit PDF Editor (≤14.0.4, ≤13.2.4, and ≤2026.1.1) allows an attac

CVE-2026-57246 HIGH
7.8 Jul 08

Memory-corruption (buffer overflow) in Foxit PDF Reader and Foxit PDF Editor arises when the digital-signature plugin pr

CVE-2026-57248 HIGH
7.8 Jul 08

Memory-corruption crash (and potential code execution) in Foxit PDF Reader and Foxit PDF Editor occurs when a PDF's embe

CVE-2026-57249 HIGH
7.8 Jul 08

Use-after-free memory corruption in Foxit PDF Editor and Foxit PDF Reader allows a crafted PDF to crash the application

CVE-2026-57251 HIGH
7.8 Jul 08

Denial of service in Foxit PDF Editor and Foxit PDF Reader arises when the application renders a PDF containing cloud-st

Share

CVE-2026-3775 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy