Foxit PDF Reader CVE-2025-9326 PRC Parsing Out-of-Bounds Read: Brief Summary and Patch Guidance

A brief summary of CVE-2025-9326, a high-severity out-of-bounds read vulnerability in Foxit PDF Reader's PRC file parsing. This post covers technical details, affected versions, patch information, and vendor security history.
CVE Analysis

9 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-09-02

Foxit PDF Reader CVE-2025-9326 PRC Parsing Out-of-Bounds Read: Brief Summary and Patch Guidance
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Remote attackers can execute code on endpoints running Foxit PDF Reader simply by getting a user to open a malicious PDF with embedded 3D content. With over 700 million users, Foxit PDF Reader is a dominant player in the PDF software market, widely deployed across enterprises and government. Any vulnerability in its file parsing routines has significant downstream risk for organizations that rely on PDF workflows.

Foxit Software is a global provider of PDF solutions, including Foxit PDF Reader and Foxit PDF Editor. The company’s products are known for their performance and feature set, with broad adoption in business and public sector environments. Foxit has a history of memory safety issues in its PDF processing code, including use-after-free and out-of-bounds read/write vulnerabilities, but typically responds rapidly to coordinated disclosures with public advisories and patches.

Technical Information

CVE-2025-9326 is an out-of-bounds read vulnerability in the PRC (Product Representation Compact) file parsing component of Foxit PDF Reader. PRC is a binary format for embedding 3D models inside PDF documents. The vulnerability arises from insufficient validation of user-controlled data during PRC parsing. Specifically, the parser does not properly check that reads stay within the allocated buffer boundaries when handling certain PRC structures. This can result in a read operation that accesses memory beyond the intended buffer (CWE-125).

Attackers can craft a malicious PDF containing specially formed PRC data. When a user opens this file in a vulnerable version of Foxit PDF Reader, the application may read memory outside the allocated buffer. Depending on memory layout and exploitation technique, this can leak sensitive data or enable remote code execution in the context of the user. The attack requires user interaction, such as opening a malicious PDF or visiting a web page that triggers the vulnerable code path.

The vulnerability was reported as ZDI-CAN-26784 by Trend Micro’s Zero Day Initiative. No public proof of concept or code snippets are available as of this writing. The flaw is closely related to other memory safety issues previously disclosed in Foxit’s PDF parsing routines, especially those involving 3D and annotation objects.

Patch Information

Foxit has proactively addressed several security vulnerabilities in its PDF Editor and Reader products through a series of updates released in 2024. These patches enhance the software's stability and security by mitigating potential risks associated with specific features and functionalities.

Out-of-Bounds Read/Write Vulnerabilities

Vulnerabilities were found where the application could be exposed to Out-of-Bounds Read/Write issues, potentially leading to crashes or remote code execution. These vulnerabilities were associated with parsing certain PDF files or handling specific Annotation objects, U3D files, Doc objects, or 3D objects in AcroForms.

Foxit addressed these vulnerabilities by releasing updates that include improved bounds checking and memory management practices. Users should update to the latest versions of Foxit PDF Editor to mitigate these risks.

Recommendations

To ensure the security and stability of your Foxit PDF applications, it is crucial to keep them updated to the latest versions. Users can update their applications by:

  • Clicking on "Help" > "About Foxit PDF Editor" or "About Foxit PDF Reader" > "Check for Update" within the application.
  • Downloading the updated versions directly from Foxit's official website.

By applying these updates, users can protect their systems from potential vulnerabilities and ensure a secure and efficient PDF editing and reading experience.

For more detailed information on these updates and the specific vulnerabilities addressed, please refer to Foxit's official security bulletins:

Affected Systems and Versions

  • Foxit PDF Reader versions prior to 2025.2.0.33028 are affected.
  • Foxit PDF Editor versions prior to 2025.2.0.33046 are affected.
  • Vulnerability is triggered by opening a malicious PDF containing specially crafted PRC (Product Representation Compact) data.
  • Both Windows and Mac platforms are impacted where these versions are deployed.

Vendor Security History

Foxit Software has a documented history of memory safety vulnerabilities in its PDF Reader and Editor products. Previous issues include use-after-free, out-of-bounds read/write, type confusion, and DLL hijacking vulnerabilities. Foxit typically responds quickly to responsible disclosures, releasing coordinated patches and maintaining public security bulletins. However, the recurrence of memory safety flaws indicates persistent challenges in secure coding and review practices for complex file parsing logic.

References

Detect & fix
what others miss