CVE-2026-3778— Stack exhaustion caused by cyclic references in Foxit PDF Editor/Reader
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-3778
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Stack exhaustion caused by cyclic references in Foxit PDF Editor/Reader
Source: NVD (National Vulnerability Database)
Vulnerability Description
The application does not detect or guard against cyclic PDF object references while handling JavaScript in PDF. When pages and annotations are crafted that reference each other in a loop, passing the document to APIs (e.g., SOAP) that perform deep traversal can cause uncontrolled recursion, stack exhaustion, and application crashes.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
未经控制的递归
Source: NVD (National Vulnerability Database)
Vulnerability Title
Foxit PDF Reader和Foxit PDF Editor 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Foxit PDF Reader和Foxit PDF Editor都是中国福昕(Foxit)公司的产品。Foxit PDF Reader是一款PDF阅读器。Foxit PDF Editor是一款PDF编辑器。 Foxit PDF Reader和Foxit PDF Editor存在安全漏洞,该漏洞源于处理PDF中的JavaScript时未检测或防范循环PDF对象引用,可能导致特制文档引发不受控制的递归、堆栈耗尽和应用程序崩溃。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Foxit Software Inc. | Foxit PDF Editor | Versions 2025.3 and earlier | - | |
| Foxit Software Inc. | Foxit PDF Reader | Versions 2025.3 and earlier | - |
II. Public POCs for CVE-2026-3778
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-3778
请登录查看更多情报信息。
Same Patch Batch · Foxit Software Inc. · 2026-04-01 · 8 CVEs total
| CVE-2026-3775 | 7.8 HIGH | Foxit PDF Editor/Reader Update Service Uncontrolled Search Path Element Local Privilege Es |
| CVE-2026-3779 | 7.8 HIGH | Foxit PDF Editor/Reader List Box Calculate Array Use-After-Free Vulnerability |
| CVE-2026-3780 | 7.3 HIGH | Foxit PDF Editor/Reader Installer Uncontrolled Search Path Privilege Escalation |
| CVE-2026-4947 | 7.1 HIGH | Insecure Direct Object Reference (IDOR) Leading to Signature Forgery in Foxit eSign |
| CVE-2026-3776 | 5.5 MEDIUM | Null pointer dereference in Foxit PDF Editor/Reader when accessing stamp annotation |
| CVE-2026-3777 | 5.5 MEDIUM | Use after free of view cache in Foxit PDF Editor/Reader |
| CVE-2026-3774 | 4.7 MEDIUM | Self-Modifications Affecting Altered Printing and Redaction in Foxit PDF Editor |
IV. Related Vulnerabilities
Same product: Foxit PDF Editor
- CVE-2026-5937
Foxit PDF Editor/Reader's insufficient parameter validation - CVE-2026-5938
Foxit PDF Editor/Reader Infinite Loop Denial-of-Service Vuln - CVE-2026-5940
Foxit PDF Editor/Reader Annotation Use-After-Free Remote Cod - CVE-2026-5942
Foxit PDF Editor/Reader AcroForm Signature Use-After-Free Vu - CVE-2026-5943
Foxit PDF Editor/Reader AcroForm Annotation Use-After-Free R
Same vendor: Foxit Software Inc.
- CVE-2026-5937
Foxit PDF Editor/Reader's insufficient parameter validation - CVE-2026-5938
Foxit PDF Editor/Reader Infinite Loop Denial-of-Service Vuln - CVE-2026-5940
Foxit PDF Editor/Reader Annotation Use-After-Free Remote Cod - CVE-2026-5942
Foxit PDF Editor/Reader AcroForm Signature Use-After-Free Vu - CVE-2026-5943
Foxit PDF Editor/Reader AcroForm Annotation Use-After-Free R
Same weakness: CWE-674
V. Comments for CVE-2026-3778
No comments yet