CVE-2026-3775 is a DLL hijacking vulnerability classified under CWE-427, affecting Foxit Software Inc.'s Foxit PDF Editor, specifically versions 2025.3 and earlier. The vulnerability arises because the application's update service, responsible for checking and applying updates, loads certain system libraries from a search path that includes directories writable by low-privileged users. This insecure practice violates the principle of loading libraries only from trusted system locations. A local attacker with write access to these directories can place a malicious DLL with the same name as a legitimate system library. When the update service runs, it loads the attacker's DLL with SYSTEM privileges, leading to local privilege escalation and arbitrary code execution. The vulnerability does not require user interaction but does require local access with limited privileges. The CVSS v3.1 score of 7.8 reflects high impact on confidentiality, integrity, and availability, with low attack complexity and low privileges required. No patches are currently linked, and no exploits are known in the wild, but the vulnerability poses a significant risk due to the elevated privileges gained upon exploitation. The flaw is rooted in improper library search path handling, a common security weakness that can be mitigated by enforcing strict DLL loading policies and securing writable directories.

The impact of CVE-2026-3775 is substantial for organizations using vulnerable versions of Foxit PDF Editor. Successful exploitation grants an attacker SYSTEM-level privileges on the affected machine, enabling full control over the system. This can lead to unauthorized access to sensitive data, installation of persistent malware, disruption of services, and lateral movement within networks. Since the vulnerability requires local access, it is particularly dangerous in environments where multiple users share systems or where attackers have gained initial footholds with limited privileges. The arbitrary code execution capability can facilitate further attacks, including data exfiltration, ransomware deployment, or sabotage. Given the widespread use of Foxit PDF Editor in corporate, government, and educational institutions, the vulnerability could be leveraged to compromise critical endpoints and infrastructure. The absence of known exploits in the wild suggests a window for proactive mitigation before widespread attacks occur.

To mitigate CVE-2026-3775, organizations should first apply any official patches or updates from Foxit Software once available. In the absence of patches, administrators should audit and restrict write permissions on directories included in the DLL search path used by the Foxit PDF Editor update service, ensuring that only trusted users and system processes have write access. Implement application whitelisting and code integrity policies to prevent unauthorized DLLs from loading. Employ endpoint detection and response (EDR) solutions to monitor for suspicious DLL loading behavior and privilege escalation attempts. Additionally, consider running the update service with the least privileges necessary, if configurable, to limit the impact of potential exploitation. Regularly review and harden local user permissions to minimize the risk of local attackers placing malicious files. Educate users about the risks of local privilege escalation and maintain robust local access controls. Network segmentation can also limit the spread of an attacker who gains elevated privileges on one system.