Foxit has released updated versions of its PDF Editor and PDF Reader products to address CVE-2026-3775, a high-severity local privilege escalation vulnerability in the application's update service. The flaw was published on April 1, 2026 and carries a CVSS 3.1 base score of 7.8. Foxit has issued patches across multiple product lines, including the 2026.1, 14.0.3, and 13.2.3 branches.

The vulnerability is a textbook DLL search-order hijacking issue. The update service loads system libraries from a search path that includes directories writable by low-privileged users, allowing a local attacker to plant a malicious DLL and have it loaded with SYSTEM privileges.

How the bug works

When Foxit PDF Editor or Reader checks for updates, its update service resolves and loads certain system DLLs. The problem is that the search path used during this process is not strictly limited to trusted system directories. It includes locations that standard, unprivileged users can write to.

This creates a straightforward attack path: a local attacker places a malicious DLL with the expected filename into one of those writable directories. The next time the update service runs, it discovers the attacker's DLL before the legitimate system library and loads it. Because the update service runs with elevated privileges, the attacker's code executes as SYSTEM, giving them full control over the machine.

This class of vulnerability, known as CWE-427: Uncontrolled Search Path Element, has been well-understood for years. It remains common in Windows desktop applications because DLL loading behavior involves multiple search locations by default, and developers must explicitly restrict the search path to prevent hijacking.

Affected products

The vulnerability affects Foxit PDF Editor and Foxit PDF Reader on both Windows and macOS. The specific affected and fixed versions are:

Versions 2025.3 and earlier are confirmed affected. Organizations running older branches (13.x or 14.x) should update to at least 13.2.3 or 14.0.3 respectively.

Why this matters in enterprise environments

Foxit PDF Editor and Reader are widely deployed in enterprise environments as alternatives to Adobe Acrobat. In many organizations, they are installed on shared workstations, terminal servers, and VDI images where multiple users share the same system. A local privilege escalation from standard user to SYSTEM is particularly dangerous in these scenarios because it allows any authenticated user to fully compromise a shared machine, pivot to other systems, install persistent backdoors, and access data belonging to other users on the same host.

The fact that the vulnerability requires no user interaction makes it especially appealing for automated exploitation. A malicious insider or an attacker who has gained initial access through phishing or another vector could trivially escalate without any social engineering.

What to do

Broader context

DLL hijacking vulnerabilities continue to surface in desktop applications year after year. Despite being a well-documented weakness, the default DLL search order on Windows makes it easy for developers to accidentally introduce these flaws. The update mechanism is a particularly sensitive component because it typically runs with elevated privileges, amplifying the impact of any search-path mistake.

Foxit has a history of responding to security reports and issuing timely patches. This disclosure was coordinated, with the CVE reserved on March 8 and the advisory published alongside fixed versions on April 1. Organizations that have Foxit products in their software inventory should treat this as a high-priority patch, especially on multi-user systems.