Foxit PDF Reader Patches Annotation Use-After-Free RCE Flaws
Foxit PDF Reader has patched two remotely exploitable use-after-free vulnerabilities in its handling of annotation-related objects, disclosed as CVE-2026-5940 and CVE-2026-5943 through Zero Day Initiative advisories ZDI-26-301 and ZDI-26-304. Both flaws stem from insufficient validation that an object still exists before operations are performed on it, creating memory corruption conditions that can let an attacker execute arbitrary code in the context of the current process.
Exploitation requires user interaction, including opening a malicious PDF file or visiting a malicious page that triggers the vulnerable code path. One issue affects Annotation object handling broadly, while the other specifically involves AcroForm Annotation objects; each carries a CVSS 7.8 severity rating. The bugs were reported to Foxit on March 30, 2026, and the vendor released updates in coordination with public disclosure to remediate the vulnerabilities.
Timeline
Apr 27, 2026
ZDI publicly discloses CVE-2026-5940 and CVE-2026-5943
The Zero Day Initiative publicly released advisories ZDI-26-301 and ZDI-26-304 for two Foxit PDF Reader remote code execution vulnerabilities. The disclosures described use-after-free bugs with CVSS 7.8 severity and noted that exploitation requires user interaction.
Apr 27, 2026
Foxit releases updates to remediate the two PDF Reader flaws
Foxit issued software updates to fix the two use-after-free vulnerabilities in PDF Reader that were later assigned CVE-2026-5940 and CVE-2026-5943. The advisories state the fixes were available by the time of coordinated public disclosure.
Mar 30, 2026
Foxit notified of two PDF Reader use-after-free vulnerabilities
Zero Day Initiative reported two remote code execution flaws in Foxit PDF Reader to Foxit: CVE-2026-5940 involving Annotation object handling and CVE-2026-5943 involving AcroForm Annotation object handling. Both issues could allow arbitrary code execution if a user opens a malicious file or visits a malicious page.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Foxit PDF Reader and Notepad++ flaws expose users to code execution and memory leaks
Foxit PDF Reader received fixes for two vulnerabilities in AcroForm Signature object handling that can be triggered when a user opens a malicious document or visits a malicious page. **CVE-2026-5941** (`ZDI-26-302`) is a use-after-free flaw that can lead to remote code execution in the current process context, while **CVE-2026-5942** (`ZDI-26-303`) is a related use-after-free bug that can disclose sensitive information and could be chained with other issues to achieve code execution. Zero Day Initiative said Foxit has released updates for the affected software. Notepad++ also patched multiple vulnerabilities, including **CVE-2026-3008**, a string injection issue in the `FindInFiles` functionality tied to the `nativeLang.xml` `find-result-hits` field when it contains a `%s` format specifier. The flaw can crash the application or leak sensitive memory address information, and vendor reporting said **CVE-2026-6539** was fixed in the same release. Notepad++ version **8.9.4** was issued to remediate the bugs, and Germany's dCERT separately warned that the product's vulnerabilities could enable denial of service or information disclosure.
5 days ago
Foxit Reader U3D Parsing Flaws Allowed Code Execution via Malicious PDFs
Foxit Reader contained two memory-corruption vulnerabilities in the `U3DBrowser` plug-in used to render embedded 3D annotations in PDF files, allowing attackers to trigger heap corruption with specially crafted PDF content. **CVE-2019-6983** stemmed from a malformed U3D File Header Block that caused an allocation-size miscalculation through a casting error, followed by an oversized `fread()` into a much smaller heap buffer. **CVE-2019-6982** involved a malformed U3D CLOD Mesh Declaration Block with invalid Inverse Quantization values, producing an 8-byte out-of-bounds heap write beyond a `malloc`-allocated buffer. The flaws affected Foxit Reader 9.x builds, including version `9.1.0.5096` with `U3DBrowser.fpi 9.1.0.425` and version `9.0.1.1049` with `U3DBrowser.fpi 9.0.1.994`. In both cases, successful exploitation could lead to arbitrary code execution in the context of the logged-on user when a victim opened a malicious PDF containing crafted 3D content. Foxit was notified of the issues and released fixes on January 3, 2019, later acknowledging the vulnerabilities in its security bulletins.
3 weeks ago
Adobe Acrobat and Reader Use-After-Free Flaws in PDF Form Field JavaScript
Adobe patched two use-after-free vulnerabilities in Acrobat and Reader, tracked as **CVE-2019-8038** and **CVE-2019-8039**, that affect version `2019.012.20035` and earlier. The flaws are triggered when JavaScript in a PDF manipulates form fields during callbacks, allowing a `Document.Field` object to be freed through `document.removeField` while native code continues to use it. STAR Labs reported that the resulting memory corruption can crash the application and may be exploitable for code execution within Adobe's sandboxed context. The bugs involve insufficient validation around PDF form field handling in `removeField`, with one issue tied to `CTextWidget` objects during Format events and the other to `CTextField` objects during property assignment and hierarchical field naming. Researchers showed that protections could be bypassed by altering `event.target` during nested callbacks or abusing field hierarchies so a field is deleted mid-operation. Adobe acknowledged and fixed both issues in security bulletin **APSB19-41** following coordinated disclosure through ZDI.
3 weeks ago