{"timestamp":"2026-04-01T14:19:00.361361Z","id":"CVE-2026-3777","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}

[{"vendor":"Foxit Software Inc.","product":"Foxit PDF Editor","defaultStatus":"unaffected","platforms":["Windows","MacOS"],"versions":[{"version":"Versions 2025.3 and earlier","status":"affected"},{"version":"Versions 14.0.2 and earlier","status":"affected"},{"version":"Versions 13.2.2 and earlier","status":"affected"}]},{"vendor":"Foxit Software Inc.","product":"Foxit PDF Reader","defaultStatus":"unaffected","platforms":["Windows","MacOS"],"versions":[{"version":"Versions 2025.3 and earlier","status":"affected"}]}]

AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AND
     OR
          *cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:* versions from (including) 2023.1.0.15510 up to (including) 2023.3.0.23028
          *cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:* versions from (including) 2024.1.0.23997 up to (including) 2024.4.1.27687
          *cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:* versions up to (including) 13.2.2.24014
          *cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:* versions from (including) 14.0.0.33046 up to (including) 14.0.2.33402
          *cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:* versions from (including) 2025.1.0.27937 up to (including) 2025.3.0.35737
          *cpe:2.3:a:foxit:pdf_reader:*:*:*:*:*:*:*:* versions up to (including) 2025.3.0.35737
     OR
          cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

AND
     OR
          *cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:* versions from (including) 2023.1.0.55583 up to (including) 2023.3.0.63083
          *cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:* versions from (including) 2024.1.0.63682 up to (including) 2024.4.1.66479
          *cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:* versions up to (including) 13.2.2.63349
          *cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:* versions from (including) 14.0.0.68868 up to (including) 14.0.2.69164
          *cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:* versions from (including) 2025.1.0.66692 up to (including) 2025.3.0.69570
          *cpe:2.3:a:foxit:pdf_reader:*:*:*:*:*:*:*:* versions up to (including) 2025.3.0.69570
     OR
          cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*

Foxit: https://www.foxit.com/support/security-bulletins.html Types: Vendor Advisory

The application does not properly validate the lifetime and validity of internal view cache pointers after JavaScript changes the document zoom and page state. When a script modifies the zoom property and then triggers a page change, the original view object may be destroyed while stale pointers are still kept and later dereferenced, which under crafted JavaScript and document structures can lead to a use-after-free condition and potentially allow arbitrary code execution.

AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE-416

https://www.foxit.com/support/security-bulletins.html