Two high severity faws reported in Foxit PDF Reader and Editor allowing Remote Code Execution
Take action: If you are running PDF Reader or Editor products, it's wise to update them. The flaws are not critical, but just barely miss that designation, and will be still exploited.
Learn More
Foxit Software has released security updates for their PDF Reader and Editor products, addressing multiple severe vulnerabilities that could enable remote code execution.
Two significant vulnerabilities have been identified:
- CVE-2024-49576 (CVSS score 8.8) is a use-after-free vulnerability in the checkbox Calculate CBF_Widget functionality. This vulnerability occurs when a checkbox object is freed by the deletePages() function and subsequently used without proper validation, potentially leading to memory corruption and arbitrary code execution.
- CVE-2024-47810 (CVSS score 8.8) involves a similar use-after-free issue in the handling of 3D page objects, where page object references within 3D objects are not properly cleared after the page is freed.
Both vulnerabilities affect Foxit Reader version 2024.3.0.26795 and earlier versions of Foxit PDF Editor. They can be exploited either by opening a maliciously crafted PDF file or, if the browser plugin extension is enabled, by visiting a specially crafted website. The flaws are patched in Foxit PDF Reader 2024.4 and Foxit PDF Editor 2024.4/13.1.5.
Users are advised to update their Foxit products. They can either update through the application's built-in update feature (accessible via Help menu > About > Check for Update) or download the latest version directly from Foxit's official website.
