CVE-2018-16296Use After Free in Phantompdf

CWE-416Use After Free3 documents3 sources
Severity
7.8HIGHNVD
EPSS
0.5%
top 32.14%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Foxitsoftware PhantompdfFoxitsoftware Reader
Timeline
PublishedOct 8
Latest updateMay 14

Description

An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Reader before 9.3 and PhantomPDF before 9.3, a different vulnerability than CVE-2018-16291, CVE-2018-16292, CVE-2018-16293, CVE-2018-16294, CVE-2018-16295, and CVE-2018-16297. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the brow

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

NVDfoxitsoftware/reader9.2.0.9297
NVDfoxitsoftware/phantompdf9.2.0.9297

Patches

Patch: www.foxitsoftware.comPatch: www.foxitsoftware.com

🔴Vulnerability Details

2
GHSA
GHSA-r3q4-h9cx-8phg: An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Reader before 92022-05-14
CVEList
CVE-2018-16296: An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Reader before 92018-10-08
CVE-2018-16296 — Use After Free in Phantompdf | cvebase