CVE-2018-3993Use After Free in Reader

CWE-416Use After Free3 documents3 sources
Severity
8.8HIGHNVD
EPSS
0.7%
top 26.87%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Foxitsoftware PhantompdfFoxitsoftware ReaderFoxit Software Foxit PDF Reader
Timeline
PublishedOct 3
Latest updateMay 13

Description

An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Software's Foxit PDF Reader version 9.2.0.9297. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

NVDfoxitsoftware/reader9.2.0.9297
CVEListV5foxit_software/foxit_pdf_reader9.2.0.9297
NVDfoxitsoftware/phantompdf9.2.0.9297

Patches

Patch: www.foxitsoftware.com

🔴Vulnerability Details

2
GHSA
GHSA-6qq8-xprq-5qr2: An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Software's Foxit PDF Reader version 92022-05-13
CVEList
CVE-2018-3993: An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Software's Foxit PDF Reader version 92018-10-03
CVE-2018-3993 — Use After Free in Foxitsoftware Reader | cvebase