Full Report
Cisco Talos’ Vulnerability Discovery & Research team recently disclosed one Foxit Reader vulnerability, and six LibRaw file reader vulnerabilities.The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy. For
Analysis Summary
# Vulnerability: Foxit Reader Use-After-Free
## CVE Details
- **CVE ID:** CVE-2026-3779
- **CVSS Score:** 8.8 (High) - *Score estimated based on typical Talos UAF ratings for high-impact RCE.*
- **CWE:** CWE-416 (Use After Free)
## Affected Systems
- **Products:** Foxit Reader
- **Versions:** Affected prior to April 2026 updates (Specific version 13.x/2024.x context implied).
- **Configurations:** Systems where JavaScript execution is enabled within PDF documents.
## Vulnerability Description
A use-after-free (UAF) vulnerability exists in the way Foxit Reader handles `Array` objects within its JavaScript engine. When a PDF containing specially crafted JavaScript is parsed, the engine fails to properly manage the lifecycle of an Array object. By accessing this object after it has been freed from memory, an attacker can cause memory corruption.
## Exploitation
- **Status:** PoC available (Internal to discovery team; coordinated disclosure).
- **Complexity:** Medium (Requires bypass of modern memory protections like ASLR/DEP).
- **Attack Vector:** Local (User must open a malicious PDF file).
## Impact
- **Confidentiality:** High
- **Integrity:** High
- **Availability:** High
- **Technical Impact:** Arbitrary Code Execution (ACE).
## Remediation
### Patches
- Users should update to the latest version of **Foxit Reader** available as of April 2026.
### Workarounds
- Disable JavaScript execution within Foxit Reader settings (Preferences > JavaScript > Uncheck "Enable JavaScript Actions").
- Do not open PDF files from untrusted or unknown sources.
***
# Vulnerability: LibRaw Memory Corruption Suite
## CVE Details
- **CVE IDs:**
- CVE-2026-20911 (Heap-based Buffer Overflow)
- CVE-2026-21413 (Heap-based Buffer Overflow)
- CVE-2026-20889 (Heap-based Buffer Overflow)
- CVE-2026-24660 (Heap-based Buffer Overflow)
- CVE-2026-24450 (Integer Overflow)
- CVE-2026-20884 (Integer Overflow)
- **CVSS Score:** Range 7.8 - 8.8 (High)
- **CWE:** CWE-122 (Heap-based Buffer Overflow), CWE-190 (Integer Overflow)
## Affected Systems
- **Products:** LibRaw (Library for processing RAW camera images).
- **Versions:** Multi-version; specific to the software utilizing LibRaw as a dependency.
- **Configurations:** Applications processing untrusted RAW image files.
## Vulnerability Description
Multiple flaws were identified in LibRaw’s image processing logic. The integer overflow vulnerabilities (CVE-2026-24450, CVE-2026-20884) can result in incorrect memory allocation sizes. This, alongside the four heap-based buffer overflow vulnerabilities, allows a specially crafted RAW file to overwrite adjacent memory on the heap, potentially leading to remote code execution.
## Exploitation
- **Status:** Not currently exploited in the wild.
- **Complexity:** Medium
- **Attack Vector:** Local (Processing a malicious RAW image file).
## Impact
- **Confidentiality:** High
- **Integrity:** High
- **Availability:** High
## Remediation
### Patches
- Apply vendor-specific updates for **LibRaw**. Developers using LibRaw should pull the latest security commits from the official repository.
### Workarounds
- Implement strict input validation or sandboxing for image processing routines.
## Detection
- **Indicators of compromise:** Crashes in PDF readers or image processing software when handling specifically named or sourced files.
- **Detection methods and tools:**
- Use Snort rules provided by Cisco Talos to detect exploitation attempts at the network level.
- Monitor for unusual child processes spawning from `FoxitReader.exe`.
## References
- Cisco Talos Blog: hxxps[://]blog[.]talosintelligence[.]com/foxit-libraw-vulnerabilities/
- TALOS-2026-2365: hxxps[://]talosintelligence[.]com/vulnerability_reports/TALOS-2026-2365
- TALOS-2026-2330: hxxps[://]talosintelligence[.]com/vulnerability_reports/TALOS-2026-2330
- Snort Rules: hxxps[://]snort[.]org/