← back
CVE-2026-3778

Stack exhaustion caused by cyclic references in Foxit PDF Editor/Reader

CVSS 6.2 MEDIUMEPSS 0.1%CWE-674
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 6.2EPSS 0.1%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
01 Apr 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The application does not detect or guard against cyclic PDF object references while handling JavaScript in PDF. When pages and annotations are crafted that reference each other in a loop, passing the document to APIs (e.g., SOAP) that perform deep traversal can cause uncontrolled recursion, stack exhaustion, and application crashes.
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected products
Foxit Software Inc. · Foxit PDF EditorFoxit Software Inc. · Foxit PDF Reader

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://www.foxit.com/support/security-bulletins.html