{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/foxit/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-3779"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-3779","use-after-free","code-execution","foxit"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-3779 is a use-after-free vulnerability affecting an unspecified Foxit application. The vulnerability stems from the application\u0026rsquo;s list box calculate array logic, which improperly manages references to page or form objects. Specifically, when these objects are deleted or re-created, the calculation logic retains stale references. This flaw allows attackers to craft malicious documents that, upon calculation, trigger a use-after-free condition. Successful exploitation of this vulnerability could enable an attacker to execute arbitrary code within the context of the affected application. The vulnerability was reported on March 31, 2026 and poses a significant risk to users who handle untrusted documents with the vulnerable application.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious document exploiting the list box calculation logic.\u003c/li\u003e\n\u003cli\u003eThe user opens the document in a vulnerable Foxit application.\u003c/li\u003e\n\u003cli\u003eThe application attempts to perform a list box calculation.\u003c/li\u003e\n\u003cli\u003eThe stale reference within the list box calculate array logic is triggered.\u003c/li\u003e\n\u003cli\u003eThe application attempts to access the deleted or re-created page/form object.\u003c/li\u003e\n\u003cli\u003eA use-after-free condition occurs, potentially corrupting memory.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages memory corruption to inject and execute arbitrary code.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the affected system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-3779 can lead to arbitrary code execution on the victim\u0026rsquo;s machine. The CVSS v3.1 score of 7.8 indicates a high severity. Exploitation requires user interaction (opening a malicious document), limiting the scope somewhat. However, targeted spearphishing campaigns could deliver such malicious documents, impacting organizations that rely on the vulnerable Foxit application for document handling. The consequences include potential data theft, system compromise, and further propagation of malicious activity within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creations for unusual child processes spawned by the Foxit application, using the process creation rule provided below.\u003c/li\u003e\n\u003cli\u003eApply the security updates released by Foxit as outlined in their security bulletin to remediate CVE-2026-3779 (\u003ca href=\"https://www.foxit.com/support/security-bulletins.html)\"\u003ehttps://www.foxit.com/support/security-bulletins.html)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of opening documents from untrusted sources to reduce the likelihood of initial access via social engineering (T1566).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T02:16:03Z","date_published":"2026-04-01T02:16:03Z","id":"/briefs/2026-04-foxit-uaf/","summary":"CVE-2026-3779 is a use-after-free vulnerability in a Foxit application where stale references to page/form objects can lead to arbitrary code execution via crafted documents.","title":"Foxit Application Use-After-Free Vulnerability (CVE-2026-3779)","url":"https://feed.craftedsignal.io/briefs/2026-04-foxit-uaf/"}],"language":"en","title":"CraftedSignal Threat Feed — Foxit","version":"https://jsonfeed.org/version/1.1"}