Foxit Reader U3D Parsing Flaws Allowed Code Execution via Malicious PDFs
Foxit Reader contained two memory-corruption vulnerabilities in the U3DBrowser plug-in used to render embedded 3D annotations in PDF files, allowing attackers to trigger heap corruption with specially crafted PDF content. CVE-2019-6983 stemmed from a malformed U3D File Header Block that caused an allocation-size miscalculation through a casting error, followed by an oversized fread() into a much smaller heap buffer. CVE-2019-6982 involved a malformed U3D CLOD Mesh Declaration Block with invalid Inverse Quantization values, producing an 8-byte out-of-bounds heap write beyond a malloc-allocated buffer.
The flaws affected Foxit Reader 9.x builds, including version 9.1.0.5096 with U3DBrowser.fpi 9.1.0.425 and version 9.0.1.1049 with U3DBrowser.fpi 9.0.1.994. In both cases, successful exploitation could lead to arbitrary code execution in the context of the logged-on user when a victim opened a malicious PDF containing crafted 3D content. Foxit was notified of the issues and released fixes on January 3, 2019, later acknowledging the vulnerabilities in its security bulletins.
Timeline
Jan 3, 2019
Foxit patches CVE-2019-6982 and CVE-2019-6983
On 2019-01-03, Foxit released fixes for the two reported U3DBrowser plug-in vulnerabilities affecting Foxit Reader. Foxit later acknowledged both issues in its security bulletins.
Nov 27, 2018
STAR Labs reports two Foxit Reader U3D vulnerabilities to Foxit
On 2018-11-27, STAR Labs notified Foxit of two vulnerabilities in the U3DBrowser plug-in used by Foxit Reader to render embedded 3D PDF annotations: CVE-2019-6982, a heap out-of-bounds write, and CVE-2019-6983, a heap overflow caused by malformed U3D File Header Block processing. Both issues could lead to arbitrary code execution in the context of the logged-on user.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Adobe Reader DC patched 3D PDF memory corruption flaws in U3D texture handling
Adobe patched two memory corruption vulnerabilities in **Adobe Reader DC 2019.010.20064** affecting the rendering of **3D content embedded in PDF files**. Tracked as `CVE-2019-7119` and `CVE-2019-7120`, the flaws were found in the `2d.x3d` and related `rt3d` processing path used for **ECMA-363 Universal 3D (U3D)** resources and external texture images. One bug allowed an **arbitrary out-of-bounds write** in `TRGB::Read()` and was observed crashing through `2d!png_set_filter_heuristics`, while the other involved an out-of-bounds condition in `TIF::Read()` tied to `_LoadILBM()`, reported as an out-of-bounds read at crash time but patched by Adobe as an **out-of-bounds write**. The vulnerabilities could be triggered with a crafted U3D file that manipulated texture metadata and referenced external image files, including `.iff` content, causing memory corruption when a user enabled 3D content display in a PDF. The exposure was not present in a default configuration unless **3D PDF rendering** was enabled, but organizations that regularly exchange **CAD and other 3D documents** faced higher risk. Adobe addressed both issues in advisory **`APSB19-17`** after coordinated disclosure from STAR Labs.
3 weeks ago
Adobe Reader DC 3D PDF Parsing Flaws Trigger Out-of-Bounds Reads
Adobe patched two out-of-bounds read vulnerabilities in **Adobe Reader DC** affecting version `2019.010.20099`, both tied to the `2d.x3d!_LoadTIFF()` processing path used to render embedded **U3D** 3D content inside PDF files. Tracked as `CVE-2019-8010` and `CVE-2019-8011`, the flaws can be triggered by a crafted PDF containing malformed external texture references in embedded 3D objects, causing the sandboxed Reader process to crash under the logged-on user context. The bugs affect Acrobat’s handling of ECMA-363 Universal 3D File Format resources, including external image and texture parsing such as PNG- and TIFF-related paths. The issue is not reachable in a default installation unless 3D content display is enabled, but it poses greater risk in environments that routinely exchange 3D PDFs, including CAD-heavy workflows where 3D viewing may be enabled by default. Adobe addressed both issues in advisory **`APSB19-41`** after coordinated disclosure by STAR Labs.
3 weeks ago
Foxit PDF Reader Patches Annotation Use-After-Free RCE Flaws
Foxit PDF Reader has patched two remotely exploitable use-after-free vulnerabilities in its handling of annotation-related objects, disclosed as **CVE-2026-5940** and **CVE-2026-5943** through Zero Day Initiative advisories **ZDI-26-301** and **ZDI-26-304**. Both flaws stem from insufficient validation that an object still exists before operations are performed on it, creating memory corruption conditions that can let an attacker execute arbitrary code in the context of the current process. Exploitation requires user interaction, including opening a malicious PDF file or visiting a malicious page that triggers the vulnerable code path. One issue affects Annotation object handling broadly, while the other specifically involves **AcroForm Annotation** objects; each carries a **CVSS 7.8** severity rating. The bugs were reported to Foxit on March 30, 2026, and the vendor released updates in coordination with public disclosure to remediate the vulnerabilities.
5 days ago