CVE-2026-3778
Uncontrolled Recursion in PDF JavaScript Causes Application Crash
Publication date: 2026-04-01
Last updated on: 2026-04-14
Assigner: Foxit
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| foxit | pdf_editor | From 2023.1.0.15510 (inc) to 2023.3.0.23028 (inc) |
| foxit | pdf_editor | From 2024.1.0.23997 (inc) to 2024.4.1.27687 (inc) |
| foxit | pdf_editor | to 13.2.2.24014 (inc) |
| foxit | pdf_editor | From 14.0.0.33046 (inc) to 14.0.2.33402 (inc) |
| foxit | pdf_editor | From 2025.1.0.27937 (inc) to 2025.3.0.35737 (inc) |
| foxit | pdf_reader | to 2025.3.0.35737 (inc) |
| foxit | pdf_editor | From 2023.1.0.55583 (inc) to 2023.3.0.63083 (inc) |
| foxit | pdf_editor | From 2024.1.0.63682 (inc) to 2024.4.1.66479 (inc) |
| foxit | pdf_editor | to 13.2.2.63349 (inc) |
| foxit | pdf_editor | From 14.0.0.68868 (inc) to 14.0.2.69164 (inc) |
| foxit | pdf_editor | From 2025.1.0.66692 (inc) to 2025.3.0.69570 (inc) |
| foxit | pdf_reader | to 2025.3.0.69570 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-674 | The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, users are advised to update their Foxit PDF Reader and Editor applications to the latest versions.
Updates can be obtained through the application's built-in update feature or by downloading the latest versions from the Foxit website.
Can you explain this vulnerability to me?
This vulnerability occurs because the application does not detect or prevent cyclic references between PDF objects when handling JavaScript within PDFs.
Specifically, if pages and annotations in a PDF reference each other in a loop, and the document is passed to APIs that perform deep traversal (such as SOAP APIs), this can cause uncontrolled recursion.
The uncontrolled recursion leads to stack exhaustion and ultimately causes the application to crash.
How can this vulnerability impact me? :
The primary impact of this vulnerability is that it can cause the affected application to crash due to stack exhaustion caused by uncontrolled recursion.
This denial of service can disrupt normal operations, potentially leading to downtime or loss of availability of the application handling the PDF documents.