Skip to main content

Foxit Pdf Editor CVE-2026-3778

| EUVDEUVD-2026-17757 MEDIUM
Uncontrolled Recursion (CWE-674)
2026-04-01 Foxit
6.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.2 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Apr 01, 2026 - 01:45 euvd
EUVD-2026-17757
Analysis Generated
Apr 01, 2026 - 01:45 vuln.today
CVE Published
Apr 01, 2026 - 01:40 nvd
MEDIUM 6.2

DescriptionCVE.org

The application does not detect or guard against cyclic PDF object references while handling JavaScript in PDF. When pages and annotations are crafted that reference each other in a loop, passing the document to APIs (e.g., SOAP) that perform deep traversal can cause uncontrolled recursion, stack exhaustion, and application crashes.

AnalysisAI

Foxit PDF Editor and PDF Reader are vulnerable to denial of service via uncontrolled recursion in maliciously crafted PDF documents containing cyclic object references in pages and annotations. When such documents are processed by APIs performing deep object traversal (such as SOAP handlers), the applications exhaust stack memory and crash. The vulnerability requires only local access and no user interaction beyond opening a malicious PDF, making it a practical attack vector for local denial of service.

Technical ContextAI

The vulnerability stems from improper handling of cyclic object references in PDF document structures (CWE-674: Uncontrolled Recursion). PDF objects-particularly pages and annotation dictionaries-can reference each other, and when a parser or API traversal routine encounters these cycles without cycle detection, it enters infinite recursion. This is particularly dangerous when documents are processed by SOAP or other deep-traversal APIs that recursively inspect all referenced objects. The issue affects Foxit PDF Editor and Foxit PDF Reader across multiple versions, as indicated by the wildcard version matching in the CPE strings, suggesting the flaw may exist in core PDF parsing logic shared across product versions.

RemediationAI

Foxit users should consult the official security bulletin at https://www.foxit.com/support/security-bulletins.html for specific patched versions of Foxit PDF Editor and Foxit PDF Reader. The primary mitigation is upgrading to a patched release once available. In the interim, organizations should restrict PDF processing workflows to trusted sources and avoid opening PDF attachments from untrusted senders in these applications. If automated batch PDF processing is in use, consider temporarily disabling or sandboxing such workflows until patches are deployed. Additionally, implementing input validation to reject PDFs with excessive or cyclic object nesting may reduce exposure, though vendor patches are the definitive fix.

CVE-2026-57240 HIGH
7.8 Jul 08

Use-after-free memory corruption in Foxit PDF Reader and Foxit PDF Editor lets a crafted PDF containing JavaScript trigg

CVE-2026-13126 HIGH
7.8 Jul 08

Use-after-free memory corruption in Foxit PDF Reader and Foxit PDF Editor (versions 2026.1.1/14.0.4 and earlier) allows

CVE-2026-13127 HIGH
7.8 Jul 08

Denial-of-service (and potential memory-corruption) in Foxit PDF Editor (≤14.0.4 / ≤13.2.4 / ≤2026.1.1) and Foxit PDF Re

CVE-2026-13128 HIGH
7.8 Jul 08

Denial-of-service in Foxit PDF Reader and Foxit PDF Editor (versions 2026.1.1 and earlier) occurs when a victim opens a

CVE-2026-13129 HIGH
7.8 Jul 08

Memory corruption in Foxit PDF Reader and Foxit PDF Editor (versions 2026.1.1, 13.2.4, 14.0.4 and earlier) allows attack

CVE-2026-57238 HIGH
7.8 Jul 08

Memory corruption in Foxit PDF Reader and Foxit PDF Editor allows a crafted PDF to trigger a use-after-free through the

CVE-2026-57242 HIGH
7.8 Jul 08

Use-after-free memory corruption in Foxit PDF Reader (2026.1.1 and earlier) and Foxit PDF Editor (through 14.0.4, 13.2.4

CVE-2026-57245 HIGH
7.8 Jul 08

Memory corruption in Foxit PDF Reader (≤2026.1.1) and Foxit PDF Editor (≤14.0.4, ≤13.2.4, and ≤2026.1.1) allows an attac

CVE-2026-57246 HIGH
7.8 Jul 08

Memory-corruption (buffer overflow) in Foxit PDF Reader and Foxit PDF Editor arises when the digital-signature plugin pr

CVE-2026-57248 HIGH
7.8 Jul 08

Memory-corruption crash (and potential code execution) in Foxit PDF Reader and Foxit PDF Editor occurs when a PDF's embe

CVE-2026-57249 HIGH
7.8 Jul 08

Use-after-free memory corruption in Foxit PDF Editor and Foxit PDF Reader allows a crafted PDF to crash the application

CVE-2026-57251 HIGH
7.8 Jul 08

Denial of service in Foxit PDF Editor and Foxit PDF Reader arises when the application renders a PDF containing cloud-st

Share

CVE-2026-3778 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy