CVE-2024-47810 Overview
CVE-2024-47810 is a use-after-free vulnerability [CWE-416] in Foxit Reader version 2024.3.0.26795. The flaw resides in how the application handles a 3D page object inside a PDF document. Attackers can trigger memory corruption by embedding specially crafted JavaScript inside a malicious PDF. Successful exploitation leads to arbitrary code execution in the context of the user running Foxit Reader.
Exploitation requires user interaction. A victim must open a malicious PDF file, or visit a malicious website if the Foxit browser plugin extension is enabled. The vulnerability affects Foxit PDF Editor, Foxit PDF Reader, and impacts users on Microsoft Windows.
Critical Impact
Arbitrary code execution as the current user through a crafted PDF or web page when the browser plugin is enabled.
Affected Products
- Foxit PDF Reader 2024.3.0.26795
- Foxit PDF Editor 2024.3.0.26795
- Microsoft Windows (host operating system)
Discovery Timeline
- 2024-12-18 - CVE-2024-47810 published to NVD
- 2025-08-25 - Last updated in NVD database
Technical Details for CVE-2024-47810
Vulnerability Analysis
The vulnerability is a use-after-free condition that occurs when Foxit Reader processes 3D page objects within a PDF document. JavaScript embedded in the PDF can manipulate object lifetimes so that a reference to a freed 3D object remains active. When that stale pointer is dereferenced, attackers can corrupt memory in a controlled manner.
Use-after-free conditions in PDF readers commonly serve as primitives for type confusion and arbitrary read/write capabilities. Once attackers achieve controlled memory corruption, they typically chain the flaw with heap grooming and return-oriented programming to bypass Data Execution Prevention and Address Space Layout Randomization. The end result is arbitrary code execution under the privileges of the user opening the document.
Root Cause
The root cause is improper object lifetime management within the 3D page object handler. The application frees the underlying object while JavaScript callbacks retain references to it. Subsequent operations against the freed object reach attacker-controlled memory, satisfying the conditions described in [CWE-416].
Attack Vector
The attack vector is network-based with required user interaction. An attacker delivers a malicious PDF through email, file sharing services, or a watering hole site. If the Foxit browser plugin extension is enabled, simply visiting an attacker-controlled URL that serves the crafted PDF is sufficient to trigger the flaw. No authentication or elevated privileges are required from the attacker.
No verified proof-of-concept code is publicly available for this vulnerability. Technical details are documented in the Talos Intelligence Vulnerability Report TALOS-2024-2094.
Detection Methods for CVE-2024-47810
Indicators of Compromise
- PDF documents containing embedded JavaScript that references or manipulates 3D annotation streams (/3D and /RichMedia dictionary entries)
- Foxit Reader or Foxit PDF Editor process crashes coinciding with the opening of PDF files from untrusted sources
- Unexpected child processes spawned by FoxitPDFReader.exe or FoxitPDFEditor.exe, such as cmd.exe, powershell.exe, or rundll32.exe
- Outbound network connections initiated by the Foxit process to previously unseen domains shortly after a PDF is opened
Detection Strategies
- Monitor process creation events where Foxit binaries are the parent process and the child is a scripting host or LOLBin
- Inspect PDFs at the email gateway for the combination of /JavaScript actions and 3D object references, which is uncommon in benign documents
- Hunt for memory access violations and exception events generated by Foxit processes in Windows Application or WER logs
Monitoring Recommendations
- Forward endpoint telemetry, including process trees and module loads, to a centralized analytics platform for retrospective hunting
- Track Foxit Reader and Foxit PDF Editor versions across the fleet and alert on any host running 2024.3.0.26795 or earlier
- Enable browser telemetry to identify users with the Foxit browser plugin extension enabled, since that path increases exposure
How to Mitigate CVE-2024-47810
Immediate Actions Required
- Upgrade Foxit PDF Reader and Foxit PDF Editor to the latest version released after 2024.3.0.26795 that addresses TALOS-2024-2094
- Disable the Foxit browser plugin extension across managed endpoints until patching is complete
- Block inbound PDF attachments from external senders at the email gateway, or detonate them in a sandbox before delivery
- Restrict execution of PDF readers to standard user accounts and remove local administrator rights where feasible
Patch Information
Foxit has acknowledged the vulnerability through the Talos Intelligence coordinated disclosure report. Administrators should consult the Foxit security bulletins page and deploy the fixed release across all Windows endpoints. Verify version numbers post-deployment because the affected build (2024.3.0.26795) must be replaced on every host.
Workarounds
- Disable JavaScript execution inside Foxit Reader through Preferences > JavaScript > Enable JavaScript Actions until patches are applied
- Disable 3D content rendering in Preferences > 3D to remove the affected code path from default processing
- Configure browsers to prompt before opening PDFs and remove or disable the Foxit PDF browser plugin
- Apply application allow-listing or attack surface reduction rules that block child process creation from PDF readers
# Disable Foxit JavaScript via registry on Windows endpoints
reg add "HKCU\Software\Foxit Software\Foxit PDF Reader\Preferences\JavaScript" /v bEnableJS /t REG_DWORD /d 0 /f
# Disable 3D content rendering
reg add "HKCU\Software\Foxit Software\Foxit PDF Reader\Preferences\3D" /v bEnable3D /t REG_DWORD /d 0 /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
