Foxit PDF Reader and Notepad++ flaws expose users to code execution and memory leaks
Foxit PDF Reader received fixes for two vulnerabilities in AcroForm Signature object handling that can be triggered when a user opens a malicious document or visits a malicious page. CVE-2026-5941 (ZDI-26-302) is a use-after-free flaw that can lead to remote code execution in the current process context, while CVE-2026-5942 (ZDI-26-303) is a related use-after-free bug that can disclose sensitive information and could be chained with other issues to achieve code execution. Zero Day Initiative said Foxit has released updates for the affected software.
Notepad++ also patched multiple vulnerabilities, including CVE-2026-3008, a string injection issue in the FindInFiles functionality tied to the nativeLang.xml find-result-hits field when it contains a %s format specifier. The flaw can crash the application or leak sensitive memory address information, and vendor reporting said CVE-2026-6539 was fixed in the same release. Notepad++ version 8.9.4 was issued to remediate the bugs, and Germany's dCERT separately warned that the product's vulnerabilities could enable denial of service or information disclosure.
Timeline
Apr 27, 2026
dCERT issues advisory on multiple Notepad++ vulnerabilities
Germany's dCERT published Advisory 2026-1260 warning that multiple Notepad++ vulnerabilities could allow denial of service or information disclosure. The advisory aligns with reporting around the patched Notepad++ flaws.
Apr 27, 2026
Notepad++ 8.9.4 released to fix CVE-2026-3008 and CVE-2026-6539
Notepad++ Product Owner Mr Hazley Samsudin released version 8.9.4 to remediate CVE-2026-3008, a string injection flaw in FindInFiles that can crash the application or leak memory address information, along with CVE-2026-6539. Patch details were published on the project's GitHub issue tracker.
Apr 27, 2026
ZDI publishes advisories for Foxit PDF Reader CVE-2026-5941 and CVE-2026-5942
The Zero Day Initiative publicly released advisories ZDI-26-302 and ZDI-26-303 covering Foxit PDF Reader vulnerabilities CVE-2026-5941 and CVE-2026-5942. ZDI said the bugs could enable remote code execution or information disclosure and noted the information disclosure issue could be chained with other flaws.
Mar 30, 2026
Foxit releases fixes for two PDF Reader AcroForm Signature flaws
Foxit made updates available to address two vulnerabilities in Foxit PDF Reader's handling of AcroForm Signature objects: CVE-2026-5941, a use-after-free remote code execution flaw, and CVE-2026-5942, a use-after-free information disclosure flaw. Both issues require user interaction such as opening a malicious file or visiting a malicious page.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
Related Stories
Foxit PDF Reader Patches Annotation Use-After-Free RCE Flaws
Foxit PDF Reader has patched two remotely exploitable use-after-free vulnerabilities in its handling of annotation-related objects, disclosed as **CVE-2026-5940** and **CVE-2026-5943** through Zero Day Initiative advisories **ZDI-26-301** and **ZDI-26-304**. Both flaws stem from insufficient validation that an object still exists before operations are performed on it, creating memory corruption conditions that can let an attacker execute arbitrary code in the context of the current process. Exploitation requires user interaction, including opening a malicious PDF file or visiting a malicious page that triggers the vulnerable code path. One issue affects Annotation object handling broadly, while the other specifically involves **AcroForm Annotation** objects; each carries a **CVSS 7.8** severity rating. The bugs were reported to Foxit on March 30, 2026, and the vendor released updates in coordination with public disclosure to remediate the vulnerabilities.
6 days ago
Multiple Vulnerabilities Disclosed in Foxit PDF Reader and Editor
German authorities published advisories for **multiple vulnerabilities** affecting **Foxit PDF Reader** and **Foxit PDF Editor**, indicating ongoing security issues across the vendor's desktop PDF products. The notices identify separate advisory entries, `2026-0914` and `2026-1256`, covering flaws in both **Reader** and **Editor** and signaling that organizations using Foxit software should review the affected versions and available vendor guidance. The repeated disclosures suggest a broader patch-management concern for enterprises that rely on Foxit for document handling, particularly because PDF applications are common targets for malicious document-based exploitation. Security teams should prioritize validating installed Foxit versions, applying relevant updates, and monitoring for suspicious PDF-related activity on endpoints where Foxit Reader or Editor is deployed.
6 days ago
Foxit Reader U3D Parsing Flaws Allowed Code Execution via Malicious PDFs
Foxit Reader contained two memory-corruption vulnerabilities in the `U3DBrowser` plug-in used to render embedded 3D annotations in PDF files, allowing attackers to trigger heap corruption with specially crafted PDF content. **CVE-2019-6983** stemmed from a malformed U3D File Header Block that caused an allocation-size miscalculation through a casting error, followed by an oversized `fread()` into a much smaller heap buffer. **CVE-2019-6982** involved a malformed U3D CLOD Mesh Declaration Block with invalid Inverse Quantization values, producing an 8-byte out-of-bounds heap write beyond a `malloc`-allocated buffer. The flaws affected Foxit Reader 9.x builds, including version `9.1.0.5096` with `U3DBrowser.fpi 9.1.0.425` and version `9.0.1.1049` with `U3DBrowser.fpi 9.0.1.994`. In both cases, successful exploitation could lead to arbitrary code execution in the context of the logged-on user when a victim opened a malicious PDF containing crafted 3D content. Foxit was notified of the issues and released fixes on January 3, 2019, later acknowledging the vulnerabilities in its security bulletins.
3 weeks ago