CVE-2019-20827

Vulnerability

The vulnerability resides in the color space handling of Foxit PhantomPDF Mac 3.3 and Foxit Reader for Mac prior to version 3.3. When a PDF file contains both an ICC-Based color space and an Alternate color space, the interaction between them can cause excessive stack consumption. No specific configuration is required beyond opening a maliciously crafted PDF file.

Exploitation

An attacker can exploit this vulnerability by crafting a PDF document that includes ICC-Based and Alternate color spaces that trigger recursive processing. The victim must open the malicious PDF file in an affected version of the software. No additional privileges or network access are required; the attack is user-interaction based.

Impact

Successful exploitation leads to a denial of service condition via stack overflow, potentially causing the application to crash. The impact is limited to availability; confidentiality and integrity are not directly compromised.

Mitigation

The issue was reportedly addressed in a later version. Users should upgrade to the latest stable release of Foxit PhantomPDF or Foxit Reader for Mac. As of the publication date (2020-06-04), no specific patched version is mentioned in the available references.