CVE-2026-3778

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-3778
The application does not detect or guard against cyclic PDF object references while handling JavaScript in PDF. When pages and annotations are crafted that reference each other in a loop, passing the document to APIs (e.g., SOAP) that perform deep traversal can cause uncontrolled recursion, stack exhaustion, and application crashes.

6.2 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.5 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://www.foxit.com/support/security-bulletins.html Vendor Advisory
Configurations

Configuration 1 (hide)

AND
OR cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:*
cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:*
cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:*
cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:*
cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:*
cpe:2.3:a:foxit:pdf_reader:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
OR cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:*
cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:*
cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:*
cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:*
cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:*
cpe:2.3:a:foxit:pdf_reader:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
History

14 Apr 2026, 17:50

Type Values Removed Values Added
References () https://www.foxit.com/support/security-bulletins.html - () https://www.foxit.com/support/security-bulletins.html - Vendor Advisory
CPE cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
cpe:2.3:a:foxit:pdf_reader:*:*:*:*:*:*:*:*
cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
First Time Foxit
Microsoft windows
Microsoft
Foxit pdf Reader
Apple macos
Apple
Foxit pdf Editor
Summary
  • (es) La aplicación no detecta ni protege contra referencias cíclicas de objetos PDF al manejar JavaScript en PDF. Cuando se elaboran páginas y anotaciones que se referencian mutuamente en un bucle, al pasar el documento a las API (por ejemplo, SOAP) que realizan un recorrido profundo puede causar recursión incontrolada, agotamiento de la pila y bloqueos de la aplicación.

01 Apr 2026, 02:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-04-01 02:16

Updated : 2026-04-14 17:50

NVD link : CVE-2026-3778

Mitre link : CVE-2026-3778

CVE.ORG link : CVE-2026-3778

JSON object : View

Products Affected

foxit

  • pdf_editor
  • pdf_reader

microsoft

  • windows

apple

  • macos
CWE
CWE-674

Uncontrolled Recursion