SB2026042743 - Multiple vulnerabilities in Foxit PDF Reader and PDF Editor for Windows
Published: April 27, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 7 secuirty vulnerabilities.
1) Uncaught Exception (CVE-ID: CVE-2026-5937)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an uncaught exception in automatic directory imports when handling tasks related to automatic directory imports. A remote attacker can trick the victim into opening a crafted document to cause a denial of service.
User interaction is required to open a crafted document.
2) Insufficient Control Flow Management (CVE-ID: CVE-2026-5938)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper control flow management in automatic directory imports when handling tasks related to automatic directory imports. A remote attacker can trick the victim into opening a crafted document action chain to cause a denial of service.
User interaction is required to open a crafted document.
3) Use-after-free (CVE-ID: CVE-2026-5939)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to use-after-free in XFA file, annotation, or signature object handling when parsing crafted XFA files or crafted annotation or signature objects. A remote attacker can trick the victim into opening a specially crafted document to execute arbitrary code.
The issue may also lead to information disclosure.
4) Use-after-free (CVE-ID: CVE-2026-5940)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to use-after-free in Annotation objects or Signature objects when handling certain Annotation objects or Signature objects. A remote attacker can trick the victim into opening a crafted document to execute arbitrary code.
User interaction is required to open a crafted document.
5) Use-after-free (CVE-ID: CVE-2026-5942)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to use-after-free in Annotation objects or Signature objects when handling certain Annotation objects or Signature objects. A remote attacker can trick the victim into opening a crafted document to execute arbitrary code.
User interaction is required to open a crafted document.
6) Use-after-free (CVE-ID: CVE-2026-5943)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to use-after-free in Annotation objects or Signature objects when handling certain Annotation objects or Signature objects. A remote attacker can trick the victim into opening a crafted document to execute arbitrary code.
User interaction is required to open a crafted document.
7) Input validation error (CVE-ID: CVE-2026-5941)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation in malformed form field hierarchy parsing when processing malformed form field hierarchies. A remote attacker can trick the victim into opening a specially crafted document to execute arbitrary code.
The issue results from improper parsing logic that misidentifies non-signature data as valid signatures during internal data structure construction.
Remediation
Install update from vendor's website.
References
- https://www.foxitsoftware.com/support/security-bulletins.html?Security+updates+available+in+Foxit+PDF+Editor+13.2.42026-04-27+00%3A00%3A00
- https://www.foxitsoftware.com/support/security-bulletins.html?Security+updates+available+in+Foxit+PDF+Reader+2026.1.1+and+Foxit+PDF+Editor+2026.1.1%2F14.0.42026-04-27+00%3A00%3A00