Zero Day MonitorZDM

← Back to list

6.2

CVE-2026-3778

adobe · adobe acrobat

Stack exhaustion caused by cyclic references in Foxit PDF Editor/Reader

Description

The application does not detect or guard against cyclic PDF object references while handling JavaScript in PDF. When pages and annotations are crafted that reference each other in a loop, passing the document to APIs (e.g., SOAP) that perform deep traversal can cause uncontrolled recursion, stack exhaustion, and application crashes.

Affected Products

Vendor	Product	Versions
adobe	adobe acrobat	Versions 2025.3 and earlier, Versions 14.0.2 and earlier, Versions 13.2.2 and earlier, Versions 2025.3 and earlier

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
foxit	pdf reader	cert_advisory	90%
foxit	pdf editor	cert_advisory	90%

References

https://www.foxit.com/support/security-bulletins.html

Related News (2 articles)

Tier B

BSI Advisories20h ago

[UPDATE] [mittel] Foxit PDF Editor und Reader: Mehrere Schwachstellen

→ No new info (linked only)

Tier B

CERT-FR2d ago

Multiples vulnérabilités dans les produits FoxIT (31 mars 2026)

→ No new info (linked only)

CVSS 3.16.2 MEDIUM

VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA KEV❌ No

Actively exploited❌ No

CWECWE-674

PublishedApr 1, 2026

Last enriched9h ago

Trending Score32

Source articles2

Independent2

Info Completeness5/14

Missing: vendor, product, versions, epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

MEDIUMCVE-2026-3774

Self-Modifications Affecting Altered Printing and Redaction in Foxit PDF Editor

HIGHCVE-2026-27220

Acrobat Reader versions 24.001.30307, 24.001.30308, 25.001.21265 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current

HIGHCVE-2026-27276

Substance3D - Stager versions 3.1.7 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this is

HIGHCVE-2026-27272

Illustrator versions 29.8.4, 30.1 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of thi

HIGHCVE-2026-27274

Substance3D - Stager versions 3.1.7 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of t

Pin to Dashboard

Verification

State: verified

Confidence: 100%

Vulnerability Timeline

CVE Published

Apr 1, 2026

Discovered by ZDM

Apr 1, 2026