A remote code execution vulnerability in Foxit PDF Reader, tracked as CVE-2024-30326, highlights the continued risk of malicious PDF files being used as an initial access vector.
According to the Zero Day Initiative advisory, CVE-2024-30326 is a Doc Object use-after-free vulnerability affecting Foxit PDF Reader. ZDI assigned the issue a CVSS score of 7.8 and said exploitation requires user interaction, meaning a target must open a malicious file or visit a crafted page.
The flaw exists in the way Foxit PDF Reader handles Doc objects. ZDI says the issue stems from failing to validate the existence of an object before performing operations on it, which can allow an attacker to execute code in the context of the current process.
Foxit addressed the issue as part of its April 2024 security updates. In its official bulletin, Foxit said Foxit PDF Reader 2024.2 and Foxit PDF Editor 2024.2 were released for Windows on April 28, 2024, with Foxit PDF Reader 2024.1.0.23997 and earlier listed as affected.
The same Foxit bulletin describes a broader set of issues involving use-after-free, out-of-bounds read, and type confusion conditions when parsing certain PDF files or handling Doc, Annotation, Signature, and AcroForm objects. Several of those bugs could be abused for remote code execution or information disclosure.
For defenders, the takeaway is simple: PDF readers should be treated as exposed client-side attack surface. Organizations should keep Foxit Reader and Editor updated, restrict unnecessary PDF browser/plugin behavior where possible, and remind users that a PDF attachment can still be a code execution risk.