CVE-2018-9948: Foxit PDF Reader Pointer Overwrite UAF

Exploitation Summary

EIP tracks 5 public exploits for CVE-2018-9948. PoCs published by Metasploit, mr_me, manojcode, including Metasploit module exploits/windows/fileformat/foxit_reader_uaf.

AI-analyzed exploit summary This Metasploit module exploits a Use-After-Free (UAF) vulnerability in Foxit PDF Reader v9.0.1.1049, combining it with an uninitialized pointer issue to leak memory addresses and execute a ROP chain for arbitrary code execution.

Description

This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Foxit Reader 9.0.0.29935. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of typed arrays. The issue results from the lack of proper initialization of a pointer prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-5380.

Exploits (5)

exploitdb WORKING POC VERIFIED

by Metasploit · rubylocalwindows

https://www.exploit-db.com/exploits/45269

View Code ZIP pw:eip

This Metasploit module exploits a Use-After-Free (UAF) vulnerability in Foxit PDF Reader v9.0.1.1049, combining it with an uninitialized pointer issue to leak memory addresses and execute a ROP chain for arbitrary code execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Foxit PDF Reader v9.0.1.1049

No auth needed

Prerequisites: Victim must open the malicious PDF file in Foxit PDF Reader v9.0.1.1049

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by mr_me · textremotewindows

https://www.exploit-db.com/exploits/44941

View Code ZIP pw:eip

This exploit leverages CVE-2018-9958 and CVE-2018-9948 to achieve remote code execution in Foxit Reader 9.0.1.1049 via a use-after-free vulnerability and information disclosure. It uses heap manipulation and ROP chains to execute arbitrary code (e.g., calc.exe).

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Foxit Reader 9.0.1.1049

No auth needed

Prerequisites: Victim must open the malicious PDF file in Foxit Reader 9.0.1.1049

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 6 stars

by manojcode · poc

https://github.com/manojcode/Foxit-Reader-RCE-with-virualalloc-and-shellcode-for-CVE-2018-9948-and-CVE-2018-9958

View Code ZIP pw:eip

This is a working exploit PoC for Foxit Reader that leverages CVE-2018-9948 and CVE-2018-9958 to achieve remote code execution via heap spraying and ROP chain manipulation. It includes a custom ROP chain for VirtualAlloc and a Metasploit-generated shellcode to spawn a calculator.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Racy

Target: Foxit Reader v9.0.1.1049

No auth needed

Prerequisites: Victim must open the malicious PDF file in a vulnerable version of Foxit Reader

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by orangepirate · poc

https://github.com/orangepirate/cve-2018-9948-9958-exp

View Code ZIP pw:eip

This repository contains a Python script that generates a reverse TCP shellcode using Metasploit's msfvenom, which is intended to be embedded into an exploit PDF for CVE-2018-9948. The script formats the shellcode for use in a JavaScript-based exploit.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Adobe Acrobat Reader DC (versions prior to 2018.011.20058)

No auth needed

Prerequisites: Metasploit Framework (msfvenom) · Target system running vulnerable Adobe Acrobat Reader

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC NORMAL

by mr_me, bit from meepwn, saelo, Jacob Robles · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/foxit_reader_uaf.rb

View Code ZIP pw:eip

This Metasploit module exploits a Use-After-Free (UAF) vulnerability in Foxit PDF Reader v9.0.1.1049, combining it with an uninitialized pointer issue to leak memory addresses and execute a ROP chain for arbitrary code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Foxit PDF Reader v9.0.1.1049

No auth needed

Prerequisites: Victim must open the malicious PDF file · SMB share hosting the payload if using remote execution

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Third Party Advisory, VDB Entry x_refsource_misc

https://zerodayinitiative.com/advisories/ZDI-18-332

Patch, Vendor Advisory x_refsource_confirm

https://www.foxitsoftware.com/support/security-bulletins.php

Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/44941/

Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/45269/

CVE-2018-9948

Foxit PDF Reader Pointer Overwrite UAF

Exploitation Summary

Description

Exploits (5)

References (4)

Scores

Details