CVE-2023-38111 – This is a use-after-free vulnerability in Foxit... (How to Fix)

Q: What is the severity of CVE-2023-38111?

CVE-2023-38111 has a CVSS score of 7.8 (HIGH). This is a use-after-free vulnerability in Foxit PDF Reader's annotation handling that allows remote attackers to execute arbitrary code when a user opens a malicious PDF file or visits a malicious webpage. It affects users of Foxit PDF Reader who open untrusted documents. The vulnerability exists due to improper validation of annotation objects before performing operations on them.

📋 TL;DR

This is a use-after-free vulnerability in Foxit PDF Reader's annotation handling that allows remote attackers to execute arbitrary code when a user opens a malicious PDF file or visits a malicious webpage. It affects users of Foxit PDF Reader who open untrusted documents. The vulnerability exists due to improper validation of annotation objects before performing operations on them.

💻 Affected Systems

Products:

Foxit PDF Reader

Versions: Versions prior to 12.1.3

Operating Systems: Windows, macOS, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable. The vulnerability affects the core annotation functionality which is enabled by default.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining the same privileges as the PDF Reader process, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Local privilege escalation or arbitrary code execution within the context of the PDF Reader process, potentially allowing data exfiltration or installation of additional malware.

🟢

If Mitigated

Application crash or denial of service if exploit fails, with potential for limited data exposure depending on sandboxing effectiveness.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

User interaction required (opening malicious PDF). The vulnerability was discovered by Zero Day Initiative (ZDI-CAN-21025) and has been publicly disclosed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 12.1.3 and later

Vendor Advisory: https://www.foxit.com/support/security-bulletins.html

Restart Required: Yes

Instructions:

1. Open Foxit PDF Reader
2. Go to Help > Check for Updates
3. Follow prompts to download and install version 12.1.3 or later
4. Restart the application

🔧 Temporary Workarounds

Disable JavaScript in Foxit Reader

all

Prevents JavaScript-based exploitation vectors

Open Foxit Reader > File > Preferences > JavaScript > Uncheck 'Enable JavaScript'

Use Protected View

all

Open untrusted PDFs in protected/sandboxed mode

Open Foxit Reader > File > Preferences > Trust Manager > Check 'Enable Safe Reading Mode'

🧯 If You Can't Patch

Use alternative PDF readers for opening untrusted documents
Implement application whitelisting to block Foxit Reader execution

🔍 How to Verify

Check if Vulnerable:

Check Foxit Reader version in Help > About. If version is below 12.1.3, the system is vulnerable.

Check Version:

On Windows: wmic product where "name like 'Foxit%Reader%'" get version

Verify Fix Applied:

Verify version is 12.1.3 or higher in Help > About. Test with known safe PDF files to ensure functionality.

📡 Detection & Monitoring

Log Indicators:

Application crashes of Foxit Reader
Unusual process creation from Foxit Reader
Multiple failed annotation operations in application logs

Network Indicators:

Unexpected outbound connections from Foxit Reader process
Downloads of PDF files from suspicious sources

SIEM Query:

process_name:"FoxitReader.exe" AND (event_id:1000 OR event_id:1001) OR process_parent_name:"FoxitReader.exe" AND process_name NOT IN (allowed_list)

📊 Metadata

CVE ID: CVE-2023-38111

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: May 3, 2024

Last Updated: August 12, 2025

🔗 References

https://www.foxit.com/support/security-bulletins.html Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-23-989/ Third Party Advisory
https://www.foxit.com/support/security-bulletins.html Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-23-989/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-38111, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Pdf Editor by Foxit

Pdf Editor by Foxit

Pdf Editor by Foxit

Pdf Editor by Foxit

Pdf Editor by Foxit

Pdf Reader by Foxit

Pdf Reader by Foxit

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable JavaScript in Foxit Reader

Use Protected View

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities