CVE-2018-3940 — Use After Free in Reader

CWE-416 — Use After Free3 documents3 sources

Severity

8.8HIGHNVD

EPSS

7.6%

top 8.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Foxitsoftware Phantompdf Foxitsoftware Reader Foxit Software Foxit PDF Reader

Timeline

PublishedOct 8

Latest updateMay 13

Description

An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Software's PDF Reader, version 9.1.0.5096. A specially crafted PDF document can trigger a previously freed object in memory to be reused. An attacker needs to trick the user to open the malicious file to trigger.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶NVDfoxitsoftware/reader9.2.0.9297

▶CVEListV5foxit_software/foxit_pdf_reader9.1.0.5096

▶NVDfoxitsoftware/phantompdf9.2.0.9297

🔴Vulnerability Details

GHSA

GHSA-mmqm-wj2w-f634: An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Software's PDF Reader, version 9↗2022-05-13

▶

CVEList

CVE-2018-3940: An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Software's PDF Reader, version 9↗2018-10-08

▶