CVE-2022-28670 in Foxit
Summary
by MITRE • 07/18/2022
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit PDF Reader 11.2.1.53537. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of AcroForms. Crafted data in an AcroForm can trigger a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-16523.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/04/2026
CVE-2022-28670 represents a critical information disclosure vulnerability affecting Foxit PDF Reader version 11.2.1.53537 that demonstrates a classic buffer overread condition within the AcroForms processing component. This vulnerability resides in the way the application handles form data structures during PDF document parsing, specifically when processing maliciously crafted AcroForm elements. The flaw manifests as a read past the end of an allocated buffer, where the application attempts to access memory locations beyond the boundaries of allocated data structures. This condition occurs during the parsing of form fields and their associated data, particularly when encountering malformed or crafted input within the AcroForm hierarchy. The vulnerability is classified under CWE-125 as an "Out-of-bounds Read" which directly maps to the buffer overread behavior observed in this exploit scenario.
The operational impact of this vulnerability extends beyond simple information disclosure to potentially enable more severe attacks through privilege escalation or code execution. Attackers can craft malicious PDF files containing specially constructed AcroForm elements that trigger the buffer overread condition when processed by the vulnerable reader. This requires user interaction through either visiting a malicious webpage that hosts the exploit or opening a crafted PDF file, making it a client-side attack vector that leverages social engineering techniques. The vulnerability's exploitation pathway aligns with ATT&CK technique T1203 "Exploitation for Client Execution" and can potentially lead to T1059 "Command and Scripting Interpreter" through subsequent code execution. The buffer overread condition creates a potential information leak that could expose sensitive memory contents including stack canaries, heap metadata, or other application-specific data that might aid in further exploitation attempts.
The technical exploitation of CVE-2022-28670 requires careful construction of AcroForm data structures that force the PDF reader to access memory beyond allocated boundaries. This typically involves creating malformed form fields with incorrect length indicators or improper data structures that cause the application's parser to advance beyond valid memory regions. When the application attempts to read past these boundaries, it may inadvertently expose memory contents that could reveal application state, cryptographic keys, or other sensitive data. The vulnerability's potential for arbitrary code execution stems from the information disclosure that can occur, which might be leveraged in combination with other vulnerabilities to achieve complete system compromise. Security researchers have identified this issue as a significant concern for organizations that rely on Foxit PDF Reader for document processing, particularly in environments where users may encounter untrusted PDF content.
Organizations should implement immediate mitigations including updating to the latest version of Foxit PDF Reader where the vulnerability has been patched, implementing web filtering solutions to block access to known malicious domains, and deploying endpoint protection measures that can detect and prevent exploitation attempts. Network administrators should consider implementing sandboxing mechanisms for PDF processing and establishing strict access controls for PDF document handling. The vulnerability's classification as a remote attack vector with user interaction requirements means that traditional network-based protections alone are insufficient. Security teams should also consider implementing user education programs to raise awareness about phishing attempts and malicious PDF files, as well as establishing incident response procedures for handling potential exploitation attempts. Organizations should regularly audit their PDF processing workflows and ensure that all systems are running patched versions of the software to prevent exploitation of this and similar vulnerabilities that could lead to more serious security incidents.