Foxit PDF Reader Update Service Flaw CVE-2026-3775 Allows Local Privilege Escalation to SYSTEM
A local privilege escalation vulnerability in Foxit PDF Reader's Update Service, tracked as CVE-2026-3775, allows attackers with low-privileged code execution to gain SYSTEM-level access.
Foxit PDF Reader contains a local privilege escalation vulnerability in its Update Service that could allow an attacker to gain full SYSTEM-level control of a compromised system. The flaw, assigned CVE-2026-2026-3775 and disclosed by the Zero Day Initiative as ZDI-26-251, stems from an uncontrolled search path element in the update component.
The vulnerability exists because the Foxit Reader Update Service loads a library from an unsecured location. An attacker who already has low-privileged code execution on the target system can exploit this by placing a malicious library in a directory that the service searches before the legitimate path. When the service loads the library, the attacker's code executes in the context of the SYSTEM account, granting elevated privileges.
Foxit has released a patch to address the vulnerability. Users are advised to update to the latest version of Foxit PDF Reader as soon as possible. The vendor's security bulletin provides further details on the fix.
The flaw was reported to Foxit on December 31, 2025, by Erik Egsgard of Field Effect, a Canadian cybersecurity firm. The coordinated public disclosure occurred on April 2, 2026, after Foxit had time to develop and release a patch.
CVE-2026-3775 carries a CVSS score of 7.8, classified as high severity. The attack vector is local, requires low privileges, and does not require user interaction, making it a practical tool for attackers who have already breached a system's lower-security perimeter.
Local privilege escalation vulnerabilities in widely deployed software like Foxit PDF Reader are particularly dangerous because they allow attackers to pivot from an initial foothold to full system compromise. Once an attacker gains SYSTEM privileges, they can disable security software, install persistent backdoors, and move laterally across a network.
Foxit PDF Reader is a popular alternative to Adobe Acrobat, used by millions of individuals and organizations worldwide. The update service runs with elevated privileges by design, making it an attractive target for attackers seeking to escalate their access.
Organizations using Foxit PDF Reader should prioritize applying the available patch. In environments where immediate patching is not possible, administrators should consider restricting the update service's ability to load libraries from unsecured locations and monitor for unusual library loading activity.