CVE-2026-3779

Summary

The application's list box calculate array logic keeps stale references to page or form objects after they are deleted or re-created, which allows crafted documents to trigger a use-after-free when the calculation runs and can potentially lead to arbitrary code execution.

Affected Software

VendorProductVersion RangeStatus
Foxit Software Inc.Foxit PDF EditorVersions 2025.3 and earlieraffected
Foxit Software Inc.Foxit PDF EditorVersions 14.0.2 and earlieraffected
Foxit Software Inc.Foxit PDF EditorVersions 13.2.2 and earlieraffected
Foxit Software Inc.Foxit PDF ReaderVersions 2025.3 and earlieraffected

Weaknesses

  • CWE-416: CWE-416 Use after free

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References