Home

Description

The application does not detect or guard against cyclic PDF object references while handling JavaScript in PDF. When pages and annotations are crafted that reference each other in a loop, passing the document to APIs (e.g., SOAP) that perform deep traversal can cause uncontrolled recursion, stack exhaustion, and application crashes.

PUBLISHED Reserved 2026-03-08 | Published 2026-04-01 | Updated 2026-04-02 | Assigner Foxit




MEDIUM: 6.2CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem types

CWE-674: Uncontrolled Recursion

Product status

Default status
unaffected

Versions 2025.3 and earlier
affected

Versions 14.0.2 and earlier
affected

Versions 13.2.2 and earlier
affected

Default status
unaffected

Versions 2025.3 and earlier
affected

Credits

Suyue Guo from UCSB Seclab finder

References

www.foxit.com/support/security-bulletins.html

cve.org (CVE-2026-3778)

nvd.nist.gov (CVE-2026-3778)

Download JSON