Cisco Talos Discloses Foxit Reader Use-After-Free and Six LibRaw Buffer Overflow Vulnerabilities
Cisco Talos has disclosed a critical use-after-free vulnerability in Foxit Reader (CVE-2026-3779) and six heap-based buffer overflow and integer overflow flaws in the LibRaw library, all of which have been patched by the respective vendors.
Cisco Talos' Vulnerability Discovery & Research team has publicly disclosed a set of seven vulnerabilities affecting Foxit Reader and the LibRaw image processing library. The disclosures, made under Cisco's coordinated third-party vulnerability disclosure policy, include a critical use-after-free bug in Foxit Reader and six memory corruption flaws in LibRaw. All vulnerabilities have been patched by the vendors, and Snort rules are available to detect exploitation attempts.
The most severe of the disclosed flaws is TALOS-2026-2365 (CVE-2026-3779), a use-after-free vulnerability in Foxit Reader's handling of Array objects. Discovered by Talos researcher KPC, the bug can be triggered by a specially crafted JavaScript embedded within a malicious PDF document. When a victim opens the file, the use-after-free condition leads to memory corruption, potentially allowing an attacker to achieve arbitrary code execution on the target system. Foxit Reader is one of the most widely used PDF applications, making this a high-value target for phishing campaigns.
The remaining six vulnerabilities were discovered by Talos researcher Francesco Benvenuto in LibRaw, a popular open-source library used to process RAW image files from digital cameras. Four of the flaws — TALOS-2026-2330 (CVE-2026-20911), TALOS-2026-2331 (CVE-2026-21413), TALOS-2026-2358 (CVE-2026-20889), and TALOS-2026-2359 (CVE-2026-24660) — are heap-based buffer overflow vulnerabilities. The other two — TALOS-2026-2363 (CVE-2026-24450) and TALOS-2026-2364 (CVE-2026-20884) — are integer overflow flaws. All six can be triggered by providing a specially crafted malicious RAW file to an application using the LibRaw library, leading to heap corruption and potential code execution.
LibRaw is widely used by photo editing software, digital camera firmware, and image processing pipelines, meaning the vulnerabilities could have a broad impact across the photography and imaging ecosystem. An attacker could deliver a malicious RAW file via email, a compromised website, or a USB drive, and any application relying on the library to parse the file would be at risk.
Cisco Talos has confirmed that both Foxit and the LibRaw maintainers have released patches addressing all seven vulnerabilities. Users are strongly advised to update Foxit Reader to the latest version and to ensure that any software depending on the LibRaw library is updated to a patched version. Cisco has also released updated Snort intrusion detection rules to help organizations detect exploitation attempts targeting these flaws.
The coordinated disclosure process highlights the ongoing challenge of securing complex software ecosystems. PDF readers and image processing libraries are ubiquitous attack surfaces, and vulnerabilities in these components can serve as reliable entry points for targeted attacks. The inclusion of JavaScript-based exploitation in the Foxit Reader bug underscores the increasing sophistication of document-based threats, which continue to be a favored vector for both commodity malware and advanced persistent threat groups.