Foxit Reader U3D Parsing Flaws Allowed Code Execution via Malicious PDFs
Foxit Reader contained two memory-corruption vulnerabilities in the U3DBrowser plug-in used to render embedded 3D annotations in PDF files, allowing attackers to trigger heap corruption with specially crafted PDF content. CVE-2019-6983 stemmed from a malformed U3D File Header Block that caused an allocation-size miscalculation through a casting error, followed by an oversized fread() into a much smaller heap buffer. CVE-2019-6982 involved a malformed U3D CLOD Mesh Declaration Block with invalid Inverse Quantization values, producing an 8-byte out-of-bounds heap write beyond a malloc-allocated buffer.
The flaws affected Foxit Reader 9.x builds, including version 9.1.0.5096 with U3DBrowser.fpi 9.1.0.425 and version 9.0.1.1049 with U3DBrowser.fpi 9.0.1.994. In both cases, successful exploitation could lead to arbitrary code execution in the context of the logged-on user when a victim opened a malicious PDF containing crafted 3D content. Foxit was notified of the issues and released fixes on January 3, 2019, later acknowledging the vulnerabilities in its security bulletins.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Foxit patches CVE-2019-6982 and CVE-2019-6983
On 2019-01-03, Foxit released fixes for the two reported U3DBrowser plug-in vulnerabilities affecting Foxit Reader. Foxit later acknowledged both issues in its security bulletins.
STAR Labs reports two Foxit Reader U3D vulnerabilities to Foxit
On 2018-11-27, STAR Labs notified Foxit of two vulnerabilities in the U3DBrowser plug-in used by Foxit Reader to render embedded 3D PDF annotations: CVE-2019-6982, a heap out-of-bounds write, and CVE-2019-6983, a heap overflow caused by malformed U3D File Header Block processing. Both issues could lead to arbitrary code execution in the context of the logged-on user.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Adobe Reader DC patched 3D PDF memory corruption flaws in U3D texture handling
Adobe patched two memory corruption vulnerabilities in **Adobe Reader DC 2019.010.20064** affecting the rendering of **3D content embedded in PDF files**. Tracked as `CVE-2019-7119` and `CVE-2019-7120`, the flaws were found in the `2d.x3d` and related `rt3d` processing path used for **ECMA-363 Universal 3D (U3D)** resources and external texture images. One bug allowed an **arbitrary out-of-bounds write** in `TRGB::Read()` and was observed crashing through `2d!png_set_filter_heuristics`, while the other involved an out-of-bounds condition in `TIF::Read()` tied to `_LoadILBM()`, reported as an out-of-bounds read at crash time but patched by Adobe as an **out-of-bounds write**. The vulnerabilities could be triggered with a crafted U3D file that manipulated texture metadata and referenced external image files, including `.iff` content, causing memory corruption when a user enabled 3D content display in a PDF. The exposure was not present in a default configuration unless **3D PDF rendering** was enabled, but organizations that regularly exchange **CAD and other 3D documents** faced higher risk. Adobe addressed both issues in advisory **`APSB19-17`** after coordinated disclosure from STAR Labs.
May 24, 2026
Adobe Reader DC 3D PDF Parsing Flaws Trigger Out-of-Bounds Reads
Adobe patched two out-of-bounds read vulnerabilities in **Adobe Reader DC** affecting version `2019.010.20099`, both tied to the `2d.x3d!_LoadTIFF()` processing path used to render embedded **U3D** 3D content inside PDF files. Tracked as `CVE-2019-8010` and `CVE-2019-8011`, the flaws can be triggered by a crafted PDF containing malformed external texture references in embedded 3D objects, causing the sandboxed Reader process to crash under the logged-on user context. The bugs affect Acrobat’s handling of ECMA-363 Universal 3D File Format resources, including external image and texture parsing such as PNG- and TIFF-related paths. The issue is not reachable in a default installation unless 3D content display is enabled, but it poses greater risk in environments that routinely exchange 3D PDFs, including CAD-heavy workflows where 3D viewing may be enabled by default. Adobe addressed both issues in advisory **`APSB19-41`** after coordinated disclosure by STAR Labs.
May 24, 2026
Foxit PDF Reader Patches Annotation Use-After-Free RCE Flaws
Foxit PDF Reader has patched two remotely exploitable use-after-free vulnerabilities in its handling of annotation-related objects, disclosed as **CVE-2026-5940** and **CVE-2026-5943** through Zero Day Initiative advisories **ZDI-26-301** and **ZDI-26-304**. Both flaws stem from insufficient validation that an object still exists before operations are performed on it, creating memory corruption conditions that can let an attacker execute arbitrary code in the context of the current process. Exploitation requires user interaction, including opening a malicious PDF file or visiting a malicious page that triggers the vulnerable code path. One issue affects Annotation object handling broadly, while the other specifically involves **AcroForm Annotation** objects; each carries a **CVSS 7.8** severity rating. The bugs were reported to Foxit on March 30, 2026, and the vendor released updates in coordination with public disclosure to remediate the vulnerabilities.
May 24, 2026