CVE-2026-3779

Description

The application's list box calculate array logic keeps stale references to page or form objects after they are deleted or re-created, which allows crafted documents to trigger a use-after-free when the calculation runs and can potentially lead to arbitrary code execution.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:* - NOT VULNERABLE

Foxit PDF Editor < 2026 (具体受影响版本请参考官方安全公告)

Foxit PDF Reader < 2026 (具体受影响版本请参考官方安全公告)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import fpdf

# Proof of Concept Generator for CVE-2026-3779
# This script generates a PDF structure intended to trigger the list box calculation logic.
# Note: Actual exploitation requires precise memory layout control and heap grooming.

def generate_malicious_pdf(filename):
    pdf = fpdf.FPDF()
    pdf.add_page()
    pdf.set_font("Arial", size=12)
    pdf.cell(200, 10, txt="CVE-2026-3779 PoC Trigger", ln=1, align='C')
    
    # In a real exploit, specific JavaScript or Form objects would be crafted here
    # to force the deletion and recreation of the list box object.
    
    # Simulating the trigger condition conceptually
    malicious_js = """
    // Conceptual trigger for UAF in list box calculation
    var f = this.getField("listbox");
    // Logic to force object deletion/recreation and stale reference access
    """
    
    # Embed JavaScript (Simplified representation)
    # In a real scenario, this would involve low-level PDF stream manipulation
    pdf.output(filename)
    print(f"[+] PoC PDF generated: {filename}")

if __name__ == "__main__":
    generate_malicious_pdf("cve_2026_3779_poc.pdf")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-3779
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-3779
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-3779/
[4] VulDB https://vuldb.com/cve/CVE-2026-3779
[5] https://www.foxit.com/support/security-bulletins.html
[6] https://www.talosintelligence.com/vulnerability_reports/TALOS-2026-2365

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-3779", "sourceIdentifier": "14984358-7092-470d-8f34-ade47a7658a2", "published": "2026-04-01T02:16:03.043", "lastModified": "2026-04-28T14:15:34.710", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The application's list box calculate array logic keeps stale references to page or form objects after they are deleted or re-created, which allows crafted documents to trigger a use-after-free when the calculation runs and can potentially lead to arbitrary code execution."}, {"lang": "es", "value": "La lógica de cálculo de la matriz del cuadro de lista de la aplicación mantiene referencias obsoletas a objetos de página o formulario después de que son eliminados o recreados, lo que permite que documentos manipulados activen un uso después de liberación cuando se ejecuta el cálculo y puede conducir potencialmente a ejecución de código arbitrario."}], "metrics": {"cvssMetricV31": [{"source": "14984358-7092-470d-8f34-ade47a7658a2", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "14984358-7092-470d-8f34-ade47a7658a2", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:*", "versionEndIncluding": "13.2.2.24014", "matchCriteriaId": "8E9FD877-062E-4AE4-B7D7-91E1CA8657DF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:*", "versionStartIncluding": "14.0.0.33046", "versionEndIncluding": "14.0.2.33402", "matchCriteriaId": "6B7281CC-97ED-4441-BB97-6C73E328B9AD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:*", "versionStartIncluding": "2023.1.0.15510", "versionEndIncluding": "2023.3.0.23028", "matchCriteriaId": "0C75FEE6-54F3-49C6-BAEA-A09D23BE5D64"}, {"vulnerable": true, "criteria": "cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:*", "versionStartIncluding": "2024.1.0.23997", "versionEndIncluding": "2024.4.1.27687", "matchCriteriaId": "2C06BC41-9831-4AE3-B10B-3FC313D01580"}, {"vulnerable": true, "criteria": "cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:*", "versionStartIncluding": "2025.1.0.27937", "versionEndIncluding": "2025.3.0.35737", "matchCriteriaId": "AD0AAFC0-5B9B-4A11-8967-4699792850F1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:foxit:pdf_reader:*:*:*:*:*:*:*:*", "versionEndIncluding": "2025.3.0.35737", "matchCriteriaId": "1A7AD877-2AB4-4568-8109-5406D2259725"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:*", "versionEndIncluding": "13.2.2.63349", "matchCriteriaId": "2C7DEE55-1FE3-4B41-975D-BB926E9E69D4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:*", "versionStartIncluding": "14.0.0.68868", "versionEndIncluding": "14.0.2.69164", "matchCriteriaId": "9D6DE6B5-F04E-4484-9BF9-397D49464636"}, {"vulnerable": true, "criteria": "cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:*", "versionStartIncluding": "2023.1.0.55583", "versionEndIncluding": "2023.3.0.63083", "matchCriteriaId": "D8785CCE-C44C-4908-9133-13A580D5BECB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:*", "versionStartIncluding": "2024.1.0.63682", "versionEndIncluding": "2024.4.1.66479", "matchCriteriaId": "CF043D20-0E28-481C-8756-D1301FAE67D2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:*", "versionStartIncluding": "2025.1.0.66692", "versionEndIncluding": "2025.3.0.69570", "matchCriteriaId": "20698FD4-5E28-4206-ACEA-4FCD24AD23BE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:foxit:pdf_reader:*:*:*:*:*:*:*:*", "versionEndIncluding": "2025.3.0.69570", "matchCriteriaId": "308530A9-A5C2-4293-BB02-00DDB6C17C37"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E"}]}]}], "references": [{"url": "https://www.foxit.com/support/security-bulletins.html", "source": "14984358-7092-470d-8f34-ade47a7658a2", "tags": ["Vendor Advisory"]}, {"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2026-2365", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "Exploit"]}]}}