CVE-2026-3775

High

Published: 01 April 2026

Published

01 April 2026

Modified

14 April 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0002 4.1th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3775 is a high-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Foxit Pdf Editor. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique DLL Search Order Hijacking (T1038); ranked at the 4.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to DLL Search Order Hijacking (T1038) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely flaw remediation, directly addressing this CVE by applying vendor patches that fix the untrusted library search path in the update service.

SI-7 Software, Firmware, and Information Integrity good match

prevent

SI-7 mandates integrity checks for software and firmware, preventing the update service from loading and executing malicious libraries placed in user-writable search path directories.

CM-6 Configuration Settings good match

prevent

CM-6 enforces secure baseline configuration settings that restrict the library search path used by the SYSTEM-privileged update service to trusted, non-writable system locations only.

MITRE ATT&CK Enterprise TechniquesAI

T1038 DLL Search Order Hijacking Persistence

Windows systems use a common method to look for required DLLs to load into a program.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Untrusted search path allows DLL Search Order Hijacking (T1038) via malicious library placement in writable directories; directly enables local privilege escalation (T1068) when loaded by SYSTEM process.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The application's update service, when checking for updates, loads certain system libraries from a search path that includes directories writable by low‑privileged users and is not strictly restricted to trusted system locations. Because these libraries may be resolved and loaded…

from user‑writable locations, a local attacker can place a malicious library there and have it loaded with SYSTEM privileges, resulting in local privilege escalation and arbitrary code execution.

Deeper analysisAI

CVE-2026-3775 is a local privilege escalation vulnerability (CWE-427: Untrusted Search Path) in the update service of a Foxit application. When checking for updates, the service loads certain system libraries from a search path that includes directories writable by low-privileged users, without strictly restricting resolution to trusted system locations. This flaw has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A low-privileged local attacker can exploit this vulnerability by placing a malicious library in a user-writable directory on the search path. When the update service runs with SYSTEM privileges and resolves libraries, it loads the attacker's malicious library, enabling arbitrary code execution, local privilege escalation to SYSTEM level, and full compromise of the system.

Foxit's security bulletins at https://www.foxit.com/support/security-bulletins.html provide details on patches and mitigations for this vulnerability. Security practitioners should consult the advisory for version-specific remediation steps.

Details

CWE(s): CWE-427

Affected Products

foxit

pdf editor

≤ 13.2.2.24014 · 14.0.0.33046 — 14.0.2.33402 · 2023.1.0.15510 — 2023.3.0.23028

foxit

pdf reader

≤ 2025.3.0.35737

CVEs Like This One

CVE-2026-3774Same product: Foxit Pdf Editor

CVE-2025-33229Same product: Microsoft Windows

CVE-2026-3777Same product: Foxit Pdf Editor

CVE-2025-57836Same product: Microsoft Windows

CVE-2024-55540Same product: Microsoft Windows

CVE-2025-15558Same product: Microsoft Windows

CVE-2024-55543Same product: Microsoft Windows

CVE-2025-21206Same vendor: Microsoft

CVE-2025-24998Same vendor: Microsoft

CVE-2026-5941Same product: Foxit Pdf Editor

References

https://www.foxit.com/support/security-bulletins.html
Vendor Advisory · 14984358-7092-470d-8f34-ade47a7658a2