CVE-2020-27857
Description
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Studio Photo 3.6.6.922. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of NEF files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-11488.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Remote attackers can execute arbitrary code on Foxit Studio Photo 3.6.6.922 via a crafted NEF file due to an out-of-bounds write.
Vulnerability
This vulnerability exists in Foxit Studio Photo version 3.6.6.922 and allows remote code execution. The flaw is in the parsing of NEF (Nikon Electronic Format) files. The software fails to properly validate user-supplied data, leading to a write operation past the end of an allocated structure [2].
Exploitation
To exploit this vulnerability, an attacker must convince the target user to open a malicious NEF file or visit a page that triggers the parsing of such a file. User interaction is required. No authentication is needed, and the attacker does not require any special privileges beyond the ability to deliver the crafted file [2].
Impact
Successful exploitation allows an attacker to execute arbitrary code in the context of the current process. This can result in full compromise of confidentiality, integrity, and availability of the user's system [2].
Mitigation
As of the publication date of this CVE, Foxit has not released a patch for Foxit Studio Photo addressing this vulnerability. The Foxit security bulletin page [1] does not list this specific issue. Users should exercise caution when opening NEF files from untrusted sources and consider using alternative image viewing software until a fix is provided.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: =3.6.6.922
- Foxit/Studio Photov5Range: 3.6.6.922
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- www.foxitsoftware.com/support/security-bulletins.htmlmitrex_refsource_MISC
- www.zerodayinitiative.com/advisories/ZDI-20-1350/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.