Use-After-Free Vulnerability in Foxit Software's PDF Reader
CVE-2022-38097

8.8HIGH

Key Information:

Vendor: Foxit
Status: Foxit Reader
Vendor: CVE Published:; 21 November 2022

Summary

A use-after-free vulnerability has been identified in Foxit Software's PDF Reader, specifically within its JavaScript engine. This issue arises when annotation objects are destroyed prematurely, allowing a specially crafted PDF document to trigger the reuse of previously freed memory. This behavior can potentially lead to arbitrary code execution. Attackers might exploit this vulnerability by enticing users to open a malicious PDF file or by employing a rogue website if the browser's plugin extension is active.

Affected Version(s)

Foxit Reader 12.0.1.12430

References

https://talosintelligence.com/vulnerability_reports/TALOS...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Nov 21, 2022
Vulnerability Reserved
Sep 13, 2022