Popular PDF document reader Foxit Reader has been updated to address multiple use-after-free security bugs that could be exploited for arbitrary code execution.
The issues, tracked as CVE-2022-32774, CVE-2022-38097, CVE-2022-37332 and CVE-2022-40129, have a CVSS score of 8.8 and are described as use-after-free vulnerabilities.
“A specially crafted PDF document can trigger the reuse of previously freed memory, which can lead to arbitrary code execution,” Cisco explains.
An attacker looking to exploit these vulnerabilities would need to trick a user into opening a malicious file. According to Cisco, if the Foxit browser plugin extension is enabled, the bugs can be triggered when the user navigates to a malicious website.
Cisco reported the security defects to Foxit in September. This week, Foxit released version 184.108.40.20630 of its PDF reader to address all issues. Users are advised to update to the latest software iteration as soon as possible.