Impact
When a PDF file containing JavaScript deletes form fields, the Foxit PDF Editor and Reader still use the old pointers to those fields. This leads to a use‑after‑free condition that can trigger a crash. The flaw is categorized as CWE‑416 and, while the description states a crash, the reported vulnerability is presented as a remote code execution flaw, indicating that an attacker might be able to exploit the invalid pointer to execute arbitrary code.
Affected Systems
Foxit Software Inc.'s Foxit PDF Editor and Foxit PDF Reader are affected. No specific version information is provided, so any potentially vulnerable build of these products should be evaluated.
Risk and Exploitability
The CVSS score of 7.8 places the flaw in the high severity range, yet the EPSS score is unavailable and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is the user opening a malicious PDF file, either locally or over a network. Exploitation would require JavaScript execution within the PDF and deallocation of form fields, conditions that an attacker can engineer with a crafted document.
OpenCVE Enrichment