{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3775", "assignerOrgId": "14984358-7092-470d-8f34-ade47a7658a2", "state": "PUBLISHED", "assignerShortName": "Foxit", "dateReserved": "2026-03-08T03:42:27.208Z", "datePublished": "2026-04-01T01:40:36.975Z", "dateUpdated": "2026-04-02T02:11:52.749Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "14984358-7092-470d-8f34-ade47a7658a2", "shortName": "Foxit", "dateUpdated": "2026-04-02T02:11:52.749Z"}, "title": "Foxit PDF Editor/Reader Update Service Uncontrolled Search Path Element Local Privilege Escalation Vulnerability", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-427", "description": "CWE-427: DLL Hijacking", "type": "CWE"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "Potential arbitrary code execution"}]}], "affected": [{"vendor": "Foxit Software Inc.", "product": "Foxit PDF Editor", "platforms": ["Windows"], "versions": [{"status": "affected", "version": "Versions 2025.3 and earlier"}], "defaultStatus": "unaffected"}, {"vendor": "Foxit Software Inc.", "product": "Foxit PDF Reader", "platforms": ["Windows"], "versions": [{"status": "affected", "version": "Versions 2025.3 and earlier"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The application's update service, when checking for updates, loads certain system libraries from a search path that includes directories writable by low\u2011privileged users and is not strictly restricted to trusted system locations. Because these libraries may be resolved and loaded from user\u2011writable locations, a local attacker can place a malicious library there and have it loaded with SYSTEM privileges, resulting in local privilege escalation and arbitrary code execution.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "The application's update service, when checking for updates, loads certain system libraries from a search path that includes directories writable by low\u2011privileged users and is not strictly restricted to trusted system locations. Because these libraries may be resolved and loaded from user\u2011writable locations, a local attacker can place a malicious library there and have it loaded with SYSTEM privileges, resulting in local privilege escalation and arbitrary code execution."}]}], "references": [{"url": "https://www.foxit.com/support/security-bulletins.html"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "credits": [{"lang": "en", "value": "Erik Egsgard of Field Effect working with TrendAI Zero Day Initiative", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T14:16:37.847431Z", "id": "CVE-2026-3775", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T15:50:46.885Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3775", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-01T14:16:37.847431Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T14:16:42.873Z"}}], "cna": {"title": "Foxit PDF Editor/Reader Update Service Uncontrolled Search Path Element Local Privilege Escalation Vulnerability", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Erik Egsgard of Field Effect working with TrendAI Zero Day Initiative"}], "impacts": [{"descriptions": [{"lang": "en", "value": "Potential arbitrary code execution"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Foxit Software Inc.", "product": "Foxit PDF Editor", "versions": [{"status": "affected", "version": "Versions 2025.3 and earlier"}], "platforms": ["Windows"], "defaultStatus": "unaffected"}, {"vendor": "Foxit Software Inc.", "product": "Foxit PDF Reader", "versions": [{"status": "affected", "version": "Versions 2025.3 and earlier"}], "platforms": ["Windows"], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.foxit.com/support/security-bulletins.html"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "The application's update service, when checking for updates, loads certain system libraries from a search path that includes directories writable by low\u2011privileged users and is not strictly restricted to trusted system locations. Because these libraries may be resolved and loaded from user\u2011writable locations, a local attacker can place a malicious library there and have it loaded with SYSTEM privileges, resulting in local privilege escalation and arbitrary code execution.", "supportingMedia": [{"type": "text/html", "value": "The application's update service, when checking for updates, loads certain system libraries from a search path that includes directories writable by low\u2011privileged users and is not strictly restricted to trusted system locations. Because these libraries may be resolved and loaded from user\u2011writable locations, a local attacker can place a malicious library there and have it loaded with SYSTEM privileges, resulting in local privilege escalation and arbitrary code execution.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-427", "description": "CWE-427: DLL Hijacking"}]}], "providerMetadata": {"orgId": "14984358-7092-470d-8f34-ade47a7658a2", "shortName": "Foxit", "dateUpdated": "2026-04-02T02:11:52.749Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3775", "state": "PUBLISHED", "dateUpdated": "2026-04-02T02:11:52.749Z", "dateReserved": "2026-03-08T03:42:27.208Z", "assignerOrgId": "14984358-7092-470d-8f34-ade47a7658a2", "datePublished": "2026-04-01T01:40:36.975Z", "assignerShortName": "Foxit"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The application's update service, when checking for updates, loads certain system libraries from a search path that includes directories writable by low\u2011privileged users and is not strictly restricted to trusted system locations. Because these libraries may be resolved and loaded from user\u2011writable locations, a local attacker can place a malicious library there and have it loaded with SYSTEM privileges, resulting in local privilege escalation and arbitrary code execution."}, {"lang": "es", "value": "El servicio de actualizaci\u00f3n de la aplicaci\u00f3n, al buscar actualizaciones, carga ciertas bibliotecas del sistema desde una ruta de b\u00fasqueda que incluye directorios escribibles por usuarios con pocos privilegios y no est\u00e1 estrictamente restringida a ubicaciones de sistema confiables. Debido a que estas bibliotecas pueden ser resueltas y cargadas desde ubicaciones escribibles por el usuario, un atacante local puede colocar una biblioteca maliciosa all\u00ed y hacer que se cargue con privilegios de SYSTEM, lo que resulta en una escalada de privilegios local y ejecuci\u00f3n de c\u00f3digo arbitrario."}], "id": "CVE-2026-3775", "lastModified": "2026-04-01T14:23:37.727", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "14984358-7092-470d-8f34-ade47a7658a2", "type": "Secondary"}]}, "published": "2026-04-01T02:16:02.440", "references": [{"source": "14984358-7092-470d-8f34-ade47a7658a2", "url": "https://www.foxit.com/support/security-bulletins.html"}], "sourceIdentifier": "14984358-7092-470d-8f34-ade47a7658a2", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-427"}], "source": "14984358-7092-470d-8f34-ade47a7658a2", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-01T06:27:18.450312+00:00", "value": {"mitigation_remediation": ["Apply the latest Foxit PDF Editor/Reader patch released by the vendor.", "If no patch is available yet, restrict write permissions on the directories referenced by the update service\u2019s search path so that only trusted system accounts can write there.", "Consider disabling the automatic update service until a fix is posted.", "Monitor system logs for unexpected library loads or changes to the search path directories."], "summary": {"action": "Apply Patch", "impact": "Local Privilege Escalation"}, "threat_synthesis": {"affected_systems": "Foxit Software\u00a0Inc. products Foxit PDF Editor and Foxit PDF Reader are affected. Specific product versions are not listed in the CNA data, so the vulnerability may apply to all releases that include the update service described.", "description_and_impact": "The update service in Foxit PDF Editor and Reader loads system libraries from a search path that includes directories writable by low\u2011privileged users and is not confined to trusted system locations. An attacker who can write to one of these directories can place a malicious library, which the update service will then load with SYSTEM privileges. This results in local privilege escalation and arbitrary code execution. The vulnerability is an instance of CWE\u2011427. The effect is that a non\u2011privileged user on a compromised or compromised\u2011by\u2011other means system can gain administrative rights and run arbitrary code.", "risk_and_exploitability": "The CVSS score of 7.8 indicates high severity. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, but the attack requires local access to the target system. The exploit is feasible for an attacker who can write to the vulnerable directories, which are typically user\u2011writable. In practice, the risk is moderate to high for environments where such directories are accessible by standard users and the update service is enabled."}}}}, "created": "2026-04-02T07:50:21.323404+00:00", "updated": "2026-04-02T07:50:21.323440+00:00", "vendors": []}