CVE-2026-3779

HIGH

Foxit PDF Editor/Reader List Box Calculate Array Use-After-Free Vulnerability

Title source: cna

Description

The application's list box calculate array logic keeps stale references to page or form objects after they are deleted or re-created, which allows crafted documents to trigger a use-after-free when the calculation runs and can potentially lead to arbitrary code execution.

References (2)

https://www.foxit.com/support/security-bulletins.html

[Third Party Advisory] https://www.talosintelligence.com/vulnerability_reports/TALOS-2026-2365

Scores

CVSS v3 7.8

EPSS 0.0002

EPSS Percentile 3.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-416

Status published

Products (6)

foxit/pdf_editor < 13.2.2.24014

foxit/pdf_reader < 2025.3.0.35737

Foxit Software Inc./Foxit PDF Editor Versions 13.2.2 and earlier

Foxit Software Inc./Foxit PDF Editor Versions 14.0.2 and earlier

Foxit Software Inc./Foxit PDF Editor Versions 2025.3 and earlier

Foxit Software Inc./Foxit PDF Reader Versions 2025.3 and earlier

Published Apr 01, 2026

Tracked Since Apr 01, 2026