CVE-2026-3777
Published: 01 April 2026
Summary
CVE-2026-3777 is a medium-severity Use After Free (CWE-416) vulnerability in Foxit Pdf Editor. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 4.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely patching of the use-after-free flaw in Foxit software per vendor security bulletins, eliminating the vulnerability root cause.
Implements memory protections such as ASLR and DEP to prevent unauthorized code execution from stale pointer dereferences in use-after-free scenarios.
Conducts vulnerability scanning to identify and prioritize remediation of CVE-2026-3777 in deployed Foxit software instances.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in Foxit PDF reader triggered by crafted JS in malicious document leads to RCE on user open; directly enables client-side exploitation (T1203) via malicious file (T1204.002).
NVD Description
The application does not properly validate the lifetime and validity of internal view cache pointers after JavaScript changes the document zoom and page state. When a script modifies the zoom property and then triggers a page change, the original view…
more
object may be destroyed while stale pointers are still kept and later dereferenced, which under crafted JavaScript and document structures can lead to a use-after-free condition and potentially allow arbitrary code execution.
Deeper analysisAI
CVE-2026-3777 is a use-after-free vulnerability (CWE-416) affecting Foxit software, published on 2026-04-01. The application fails to properly validate the lifetime and validity of internal view cache pointers after JavaScript changes the document zoom and page state. Specifically, when a script modifies the zoom property and then triggers a page change, the original view object may be destroyed while stale pointers are still retained and later dereferenced, leading to a use-after-free condition that can enable arbitrary code execution under crafted JavaScript and document structures.
The vulnerability has a CVSS v3.1 base score of 5.5 (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H), indicating local access is required with low attack complexity, no privileges, and user interaction. A local attacker can exploit it by providing a malicious document containing crafted JavaScript that manipulates zoom and page state, tricking the user into processing it, potentially causing a crash (high availability impact) or achieving arbitrary code execution.
Mitigation details are available in Foxit's security bulletins at https://www.foxit.com/support/security-bulletins.html.
Details
- CWE(s)