Login Sign Up

CVE-2022-43638

7.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious PDF files containing specially crafted U3D objects. It affects Foxit PDF Reader users running vulnerable versions, requiring user interaction through opening a malicious file or visiting a malicious webpage.

💻 Affected Systems

Products:
  • Foxit PDF Reader
Versions: 12.0.1.12430 and earlier versions
Operating Systems: Windows, macOS, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: All installations with vulnerable versions are affected regardless of configuration.

📦 What is this software?

Pdf Editor by Foxit

View all CVEs affecting Pdf Editor →

Pdf Editor by Foxit

View all CVEs affecting Pdf Editor →

Pdf Editor by Foxit

View all CVEs affecting Pdf Editor →

Pdf Reader by Foxit

View all CVEs affecting Pdf Reader →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining the same privileges as the current user, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Malware installation or data exfiltration from the compromised user's system.

🟢

If Mitigated

Limited impact with proper application sandboxing and user privilege restrictions.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction but is technically straightforward once malicious file is opened.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 12.0.2 and later

Vendor Advisory: https://www.foxit.com/support/security-bulletins.html

Restart Required: Yes

Instructions:

1. Open Foxit PDF Reader
2. Go to Help > Check for Updates
3. Follow prompts to install latest version
4. Restart application

🔧 Temporary Workarounds

Disable U3D file parsing

all

Prevent Foxit from processing U3D content within PDF files

Not applicable - configuration setting only

Use alternative PDF viewer

all

Temporarily use a different PDF reader until patched

🧯 If You Can't Patch

  • Restrict user privileges to standard user accounts (not administrator)
  • Implement application sandboxing or use Microsoft Defender Application Guard for browsing

🔍 How to Verify

Check if Vulnerable:

Check Foxit PDF Reader version in Help > About

Check Version:

On Windows: wmic product where name="Foxit PDF Reader" get version

Verify Fix Applied:

Verify version is 12.0.2 or higher in Help > About

📡 Detection & Monitoring

Log Indicators:

  • Application crashes with U3D-related errors
  • Unexpected child processes spawned from Foxit Reader

Network Indicators:

  • Outbound connections from Foxit Reader to unknown IPs
  • DNS requests for suspicious domains after PDF opening

SIEM Query:

process_name:"FoxitReader.exe" AND (event_id:1000 OR parent_process_name:"FoxitReader.exe")

📊 Metadata

CVE ID: CVE-2022-43638
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: March 29, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-43638, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)