CVE-2023-38117 in Foxit
Summary
by MITRE • 05/04/2024
Foxit PDF Reader AcroForm Doc Object Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the handling of Doc objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-21293.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 08/13/2025
The vulnerability CVE-2023-38117 represents a critical use-after-free flaw in Foxit PDF Reader's handling of AcroForm Doc objects, classified under CWE-416 Use After Free. This remote code execution vulnerability resides in the PDF reader's document object management system where insufficient validation occurs before object operations. The flaw specifically manifests when the application processes Doc objects within PDF files containing AcroForm elements, creating a scenario where freed memory locations can be accessed and manipulated by malicious actors. Attackers exploit this by crafting malicious PDF documents that trigger the vulnerable code path during document parsing, particularly when processing form fields and interactive elements.
The technical exploitation of this vulnerability follows a classic use-after-free pattern where an attacker constructs a malicious PDF file containing specially crafted Doc objects that, when processed by Foxit Reader, cause memory deallocation followed by subsequent access to the same memory region. This memory corruption allows arbitrary code execution with the privileges of the currently running process, typically representing the user's session context. The vulnerability requires user interaction to be effective, meaning victims must either visit a malicious web page hosting the exploit or open the crafted PDF file directly. This requirement aligns with ATT&CK technique T1203 Exploitation for Client Execution, where adversaries leverage user interaction to deliver malicious payloads through commonly used applications like PDF readers.
The operational impact of this vulnerability extends beyond simple code execution, as it enables attackers to perform full system compromise through privilege escalation vectors. The use-after-free condition creates a memory corruption landscape where attackers can overwrite critical function pointers or execute shellcode within the application's memory space. This vulnerability affects multiple versions of Foxit PDF Reader and represents a significant risk to organizations relying on this software for document processing, as PDF files are commonly used in business communications and document sharing environments. The ZDI-CAN-21293 identifier indicates this vulnerability was tracked by the Zero Day Initiative, highlighting its potential for widespread exploitation in the wild.
Mitigation strategies for CVE-2023-38117 include immediate patch deployment from Foxit Corporation, which should address the underlying object validation flaw in the AcroForm processing code. Organizations should implement restrictive PDF handling policies, including sandboxing PDF readers, disabling JavaScript execution, and employing content filtering systems that can detect and block malicious PDF files. Network-level protections such as web application firewalls and email security appliances can help prevent delivery of malicious PDF content. Additionally, user education regarding suspicious PDF attachments and web content should be emphasized, as social engineering remains a critical component in successful exploitation. System administrators should monitor for unusual PDF processing activity and implement least privilege principles for PDF reader applications to limit potential damage from successful exploitation attempts.