CVE-2024-9246: 
Foxit PDF Reader vulnerability analysis and mitigation

Foxit PDF Reader Annotation Out-Of-Bounds Read Information Disclosure Vulnerability (CVE-2024-9246) was discovered and disclosed on November 22, 2024. This vulnerability affects various versions of Foxit PDF Reader and Foxit PDF Editor on Windows platform, including versions up to 2024.2.3.25184 (NVD, Foxit Bulletin).

The vulnerability exists within the handling of Annotation objects in Foxit PDF Reader. The specific flaw stems from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. The vulnerability has been assigned a CVSS v3.1 base score of 7.1 HIGH by NIST and 3.3 LOW by Zero Day Initiative, with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H (ZDI Advisory, NVD).

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit PDF Reader. The impact is limited as user interaction is required to exploit this vulnerability, specifically the target must visit a malicious page or open a malicious file. An attacker can leverage this vulnerability in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process (ZDI Advisory).

Foxit has released security updates to address this vulnerability. Users are advised to update their applications to the latest versions through one of the following methods: 1) In Foxit PDF Reader or Foxit PDF Editor, click on 'Help' > 'About Foxit PDF Reader/Editor' > 'Check for Update' to update to the latest version, or 2) Download the updated version directly from the Foxit website (Foxit Bulletin).