CVE-2018-20311 in Foxit
Summary
by MITRE • 01/07/2021
Foxit Reader before 9.5, and PhantomPDF before 8.3.10 and 9.x before 9.5, has a proxyCPDFAction race condition that can cause a stack-based buffer overflow or an out-of-bounds read.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/16/2026
This vulnerability affects Foxit Reader versions prior to 9.5 and PhantomPDF versions before 8.3.10 and 9.x versions prior to 9.5, presenting a critical race condition within the proxyCPDFAction functionality that can lead to either stack-based buffer overflow or out-of-bounds read conditions. The flaw exists in the handling of PDF actions where concurrent access to shared resources creates timing dependencies that allow malicious actors to manipulate memory operations. This race condition occurs when multiple threads attempt to access the same memory location without proper synchronization mechanisms, creating opportunities for memory corruption that can be exploited to execute arbitrary code or cause denial of service conditions.
The technical implementation involves improper thread synchronization during PDF action processing where the proxyCPDFAction component fails to properly guard shared memory regions. When PDF documents containing specially crafted actions are processed, the race condition can manifest as either a stack-based buffer overflow when data exceeds allocated memory boundaries or an out-of-bounds read when the application attempts to access memory locations outside the intended buffer limits. This vulnerability directly maps to CWE-362, which describes race conditions in concurrent programming where two or more threads access shared data concurrently and at least one of the threads is performing a write operation. The underlying flaw represents a classic timing-based security issue where the order of execution can be manipulated by an attacker to achieve unintended behavior.
From an operational impact perspective, this vulnerability poses significant risks to organizations relying on these PDF viewers for document processing and sharing. An attacker could craft malicious PDF files that trigger the race condition when opened by vulnerable applications, potentially leading to remote code execution on systems running affected software versions. The exploitation scenario typically involves sending crafted PDF documents through email attachments or web downloads, where the victim's system automatically processes the document using the vulnerable PDF reader. This creates a high-severity threat vector that aligns with ATT&CK technique T1203, which covers exploitation of remote services, and T1059, covering command and scripting interpreter usage. The vulnerability affects both desktop and server environments where these PDF processing applications are deployed, making it particularly dangerous in enterprise settings where document handling is frequent.
The recommended mitigations include immediate deployment of patches provided by Foxit to update to versions 9.5 or later for Reader and 8.3.10 and 9.5 or later for PhantomPDF, which address the race condition through proper thread synchronization mechanisms. Organizations should also implement network-based controls such as PDF file filtering at perimeter defenses to prevent potentially malicious documents from reaching end-user systems. Additional protective measures include disabling automatic PDF processing in web browsers, implementing application whitelisting policies, and conducting regular security assessments of document handling workflows. Security teams should monitor for exploitation attempts through network traffic analysis and endpoint detection systems that can identify suspicious PDF processing activities. The vulnerability demonstrates the importance of proper concurrency control in security-critical applications and highlights the need for thorough testing of multi-threaded components in software development lifecycle processes.