← Back

CVE-2024-25938

nvd nist
Published: Apr 30, 2024Modified: Nov 4, 2025

JSON object

Loading...
8.8
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Exploitability: 2.8 / Impact: 5.9
Source: CNA (Secondary)

Description

A use-after-free vulnerability exists in the way Foxit Reader 2024.1.0.23997 handles a Barcode widget. A specially crafted JavaScript code inside a malicious PDF document can trigger reuse of a previously freed object, which can lead to memory corruption and result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.

Affected (9)

Foxit
2 products
Pdf Editor
Pdf Reader
Configuration A
6 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Foxit
Pdf Editor
Up to 11.2.8.53842
Pdf Editor
From 12.0.0.12394 to 12.1.4.15400
Pdf Editor
From 13.0.0.21632 to 13.0.1.21693
Pdf Editor
From 2023.1.0.15510 to 2023.3.0.23028
Pdf Editor
Version 2024.1.0.23997
Pdf Reader
Version 2024.1.0.23997
Running on/withPlatform Versions
Microsoft
Windows
All versions
Configuration B
3 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Foxit
Pdf Editor
Up to 11.1.6.0109
Pdf Editor
From 12.0.0.0601 to 12.1.2.55366
Pdf Editor
From 13.0.0.61829 to 13.0.1.61866
Running on/withPlatform Versions
Apple
Macos
All versions

Related CWEs

CWE-416
Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

References (3)

Source: talos-cna@cisco.com
ExploitThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.