Popular PDF document reader Foxit Reader has been updated to address multiple use-after-free security bugs that could be exploited for arbitrary code execution.
The feature-rich PDF reader provides broad functionality to users, including support for multimedia documents and dynamic forms via JavaScript support, which also expands the application’s attack surface.
This week, Cisco’s Talos security researchers have published information on four vulnerabilities in Foxit Reader’s JavaScript engine that could be exploited to achieve arbitrary code execution.
The issues, tracked as CVE-2022-32774, CVE-2022-38097, CVE-2022-37332 and CVE-2022-40129, have a CVSS score of 8.8 and are described as use-after-free vulnerabilities.
“A specially crafted PDF document can trigger the reuse of previously freed memory, which can lead to arbitrary code execution,” Cisco explains.
An attacker looking to exploit these vulnerabilities would need to trick a user into opening a malicious file. According to Cisco, if the Foxit browser plugin extension is enabled, the bugs can be triggered when the user navigates to a malicious website.
Cisco reported the security defects to Foxit in September. This week, Foxit released version 12.0.1.12430 of its PDF reader to address all issues. Users are advised to update to the latest software iteration as soon as possible.
Related: Apple Patches Remote Code Execution Flaws in iOS, macOS
Related: Cisco Patches 33 Vulnerabilities in Enterprise Firewall Products
Related: Citrix Patches Critical Vulnerability in Gateway, ADC
Related: SAP Patches Critical Vulnerabilities in BusinessObjects, SAPUI5

More from Ionut Arghire
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Enzo Biochem Ransomware Attack Exposes Information of 2.5M Individuals
- Google Temporarily Offering $180,000 for Full Chain Chrome Exploit
- Toyota Discloses New Data Breach Involving Vehicle, Customer Information
- Adobe Inviting Researchers to Private Bug Bounty Program
- Critical Vulnerabilities Found in Faronics Education Software
Latest News
- Insider Q&A: Artificial Intelligence and Cybersecurity In Military Tech
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- OpenAI Unveils Million-Dollar Cybersecurity Grant Program
- Galvanick Banks $10 Million for Industrial XDR Technology
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Idaho Hospitals Working to Resume Full Operations After Cyberattack
