Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
The application's update service, when checking for updates, loads certain system libraries from a search path that includes directories writable by low‑privileged users and is not strictly restricted to trusted system locations. Because these libraries may be resolved and loaded from user‑writable locations, a local attacker can place a malicious library there and have it loaded with SYSTEM privileges, resulting in local privilege escalation and arbitrary code execution.
AnalysisAI
DLL search path hijacking in Foxit PDF Editor and Foxit PDF Reader update services enables local privilege escalation to SYSTEM. Low-privileged authenticated users can plant malicious libraries in writable directories that are resolved during update checks, achieving arbitrary code execution with elevated privileges. CVSS 7.8 (High) with low attack complexity. No public exploit identified at time of analysis, EPSS data not provided.
Technical ContextAI
This vulnerability exploits CWE-427 (Uncontrolled Search Path Element), commonly known as DLL hijacking or binary planting on Windows systems. The Foxit update service fails to implement secure DLL loading practices, specifically not restricting library resolution to trusted system directories or using mechanisms like SetDllDirectory() or SafeDllSearchMode. When the update service runs with SYSTEM privileges and checks for updates, it searches for required DLLs through a path that includes user-writable locations (such as %TEMP%, current working directory, or application directories with lax permissions). The Windows loader resolves libraries in search order, and if a malicious DLL is placed in an earlier-searched writable location with the correct name, it will be loaded and executed in the security context of the update service. The affected products per CPE data are Foxit PDF Editor (cpe:2.3:a:foxit_software_inc.:foxit_pdf_editor) and Foxit PDF Reader (cpe:2.3:a:foxit_software_inc.:foxit_pdf_reader), both widely-deployed PDF manipulation applications. This class of vulnerability is persistent in Windows applications that perform privileged operations without hardening DLL loading behavior.
RemediationAI
Organizations should immediately review the Foxit Security Bulletins page at https://www.foxit.com/support/security-bulletins.html for patch availability and specific remediation guidance. Patch available per vendor advisory; apply the latest security updates for Foxit PDF Editor and Foxit PDF Reader as released by Foxit Software. Until patching is complete, implement defense-in-depth controls including removing write permissions from non-administrative users on Foxit installation directories, enforcing application whitelisting to prevent unauthorized DLL execution, and monitoring for suspicious library loading behavior via EDR solutions. Consider temporarily disabling automatic update functionality if the service cannot be secured, though this creates operational security debt. In high-security environments, restrict Foxit product deployment to single-user workstations with full disk encryption and run endpoint privilege management solutions to prevent initial low-privileged access that enables exploitation. Validate post-patch that update services no longer load libraries from user-writable paths through process monitoring tools like Process Monitor or Sysmon event ID 7 (image loaded) analysis.
More in Foxit Pdf Editor
View allUse-after-free memory corruption in Foxit PDF Reader and Foxit PDF Editor lets a crafted PDF containing JavaScript trigg
Use-after-free memory corruption in Foxit PDF Reader and Foxit PDF Editor (versions 2026.1.1/14.0.4 and earlier) allows
Denial-of-service (and potential memory-corruption) in Foxit PDF Editor (≤14.0.4 / ≤13.2.4 / ≤2026.1.1) and Foxit PDF Re
Denial-of-service in Foxit PDF Reader and Foxit PDF Editor (versions 2026.1.1 and earlier) occurs when a victim opens a
Memory corruption in Foxit PDF Reader and Foxit PDF Editor (versions 2026.1.1, 13.2.4, 14.0.4 and earlier) allows attack
Memory corruption in Foxit PDF Reader and Foxit PDF Editor allows a crafted PDF to trigger a use-after-free through the
Use-after-free memory corruption in Foxit PDF Reader (2026.1.1 and earlier) and Foxit PDF Editor (through 14.0.4, 13.2.4
Memory corruption in Foxit PDF Reader (≤2026.1.1) and Foxit PDF Editor (≤14.0.4, ≤13.2.4, and ≤2026.1.1) allows an attac
Memory-corruption (buffer overflow) in Foxit PDF Reader and Foxit PDF Editor arises when the digital-signature plugin pr
Memory-corruption crash (and potential code execution) in Foxit PDF Reader and Foxit PDF Editor occurs when a PDF's embe
Use-after-free memory corruption in Foxit PDF Editor and Foxit PDF Reader allows a crafted PDF to crash the application
Denial of service in Foxit PDF Editor and Foxit PDF Reader arises when the application renders a PDF containing cloud-st
Same weakness CWE-427 – Uncontrolled Search Path Element
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17751
GHSA-j35c-qjxf-46vc