Foxit PDF Reader Annotation Use-After-Free Remote Code Execution Vulnerability
CVE-2024-9255

7.8HIGH

Key Information:

Vendor: Foxit
Status: PDF Reader
Vendor: CVE Published:; 22 November 2024

Summary

Foxit PDF Reader contains a vulnerability related to the handling of Annotation objects, where a use-after-free issue can be exploited by attackers. This flaw allows for arbitrary code execution on devices running affected versions of the software. Attackers can utilize this vulnerability by persuading users to open malicious files or visit harmful web pages, leading to potential unauthorized actions within the context of the running process. The security concern emphasizes the significance of proper object validation to prevent exploitation.

Affected Version(s)

PDF Reader 2024.2.3.25184

References

https://www.zerodayinitiative.com/advisories/ZDI-24-1308/

x_research-advisory

https://www.foxit.com/support/security-bulletins.html

vendor-advisory

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Nov 22, 2024

Collectors

NVD DatabaseMitre Database