Login Sign Up

CVE-2020-26534

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This CVE describes a use-after-free vulnerability in Foxit Reader and PhantomPDF's AcroForm JavaScript engine. Attackers can exploit this by crafting malicious PDF files to execute arbitrary code on vulnerable systems. All users running affected versions of Foxit Reader or PhantomPDF are at risk.

💻 Affected Systems

Products:
  • Foxit Reader
  • Foxit PhantomPDF
Versions: All versions before 10.1
Operating Systems: Windows, macOS, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability triggers during AcroForm JavaScript execution when processing PDF forms with specific Opt object manipulations.

📦 What is this software?

Foxit Reader by Foxitsoftware

View all CVEs affecting Foxit Reader →

Phantompdf by Foxitsoftware

View all CVEs affecting Phantompdf →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with SYSTEM/administrator privileges leading to complete system compromise, data theft, ransomware deployment, or lateral movement within networks.

🟠

Likely Case

Arbitrary code execution with user-level privileges when a victim opens a malicious PDF document, potentially leading to malware installation, credential theft, or data exfiltration.

🟢

If Mitigated

Limited impact with proper application sandboxing, memory protection mechanisms, and user awareness preventing malicious PDF execution.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction to open malicious PDF but requires minimal technical skill once PoC is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.1 and later

Vendor Advisory: https://www.foxitsoftware.com/support/security-bulletins.html

Restart Required: No

Instructions:

1. Download Foxit Reader/PhantomPDF 10.1 or later from official website. 2. Run installer. 3. Follow installation prompts. 4. Verify version in Help > About.

🔧 Temporary Workarounds

Disable JavaScript in Foxit

all

Prevents AcroForm JavaScript execution that triggers the vulnerability

Open Foxit > File > Preferences > JavaScript > Uncheck 'Enable JavaScript'

Use Alternative PDF Viewer

all

Temporarily switch to non-vulnerable PDF software

🧯 If You Can't Patch

  • Implement application whitelisting to block Foxit Reader/PhantomPDF execution
  • Deploy memory protection controls like DEP and ASLR system-wide

🔍 How to Verify

Check if Vulnerable:

Check Foxit version in Help > About. If version is below 10.1, system is vulnerable.

Check Version:

On Windows: wmic product where name="Foxit Reader" get version

Verify Fix Applied:

Confirm version is 10.1 or higher in Help > About and verify JavaScript remains disabled if using workaround.

📡 Detection & Monitoring

Log Indicators:

  • Foxit crash logs with memory access violations
  • Windows Event Logs showing Foxit process termination

Network Indicators:

  • Unusual outbound connections from Foxit process
  • PDF downloads from suspicious sources

SIEM Query:

process_name="FoxitReader.exe" AND (event_id=1000 OR event_id=1001) AND exception_code=c0000005

📊 Metadata

CVE ID: CVE-2020-26534
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: October 2, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-26534, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)