Cyber Resilience

CVE-2026-3775

High

Published: 01 April 2026

Published
01 April 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0025 16.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-3775 is a high-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Foxit Pdf Editor. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique DLL (T1574.001); ranked at the 16.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-3775 is a local privilege escalation vulnerability (CWE-427: Untrusted Search Path) in the update service of a Foxit application. When checking for updates, the service loads certain system libraries from a search path that includes directories writable by low-privileged users, without strictly restricting resolution to trusted system locations. This flaw has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A low-privileged local attacker can exploit this vulnerability by placing a malicious library in a user-writable directory on the search path. When the update service runs with SYSTEM privileges and resolves libraries, it loads the attacker's malicious library, enabling arbitrary code execution, local privilege escalation to SYSTEM level, and full compromise of the system.

Foxit's security bulletins at https://www.foxit.com/support/security-bulletins.html provide details on patches and mitigations for this vulnerability. Security practitioners should consult the advisory for version-specific remediation steps.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The application's update service, when checking for updates, loads certain system libraries from a search path that includes directories writable by low‑privileged users and is not strictly restricted to trusted system locations. Because these libraries may be resolved and loaded…

more

from user‑writable locations, a local attacker can place a malicious library there and have it loaded with SYSTEM privileges, resulting in local privilege escalation and arbitrary code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1574.001 DLL Stealth
Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Untrusted search path allows DLL Search Order Hijacking (T1038) via malicious library placement in writable directories; directly enables local privilege escalation (T1068) when loaded by SYSTEM process.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3774Same product: Foxit Pdf Editor
CVE-2025-33229Same product: Microsoft Windows
CVE-2026-3777Same product: Foxit Pdf Editor
CVE-2025-15558Same product: Microsoft Windows
CVE-2022-28339Same product: Microsoft Windows
CVE-2024-55543Same product: Microsoft Windows
CVE-2025-57836Same product: Microsoft Windows
CVE-2024-55540Same product: Microsoft Windows
CVE-2025-21206Same vendor: Microsoft
CVE-2025-24998Same vendor: Microsoft

Affected Assets

foxit
pdf editor
≤ 13.2.2.24014 · 14.0.0.33046 — 14.0.2.33402 · 2023.1.0.15510 — 2023.3.0.23028
foxit
pdf reader
≤ 2025.3.0.35737

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely flaw remediation, directly addressing this CVE by applying vendor patches that fix the untrusted library search path in the update service.

prevent

SI-7 mandates integrity checks for software and firmware, preventing the update service from loading and executing malicious libraries placed in user-writable search path directories.

prevent

CM-6 enforces secure baseline configuration settings that restrict the library search path used by the SYSTEM-privileged update service to trusted, non-writable system locations only.

References