Buffer overflow in Foxit PDF Editor (formerly Foxit PhantomPDF) and Foxit PDF Reader for Windows - CVE-2026-57246

 

Buffer overflow in Foxit PDF Editor (formerly Foxit PhantomPDF) and Foxit PDF Reader for Windows - CVE-2026-57246

Published: July 8, 2026


Vulnerability identifier: #VU137071
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-57246
CWE-ID: CWE-120
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Foxit Software Inc.
Affected software:
Foxit PDF Editor (formerly Foxit PhantomPDF)
Foxit PDF Reader for Windows

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to buffer copy without checking size of input in Foxit PDF Reader and Foxit PDF Editor when handling certain PDFs containing abnormal signature fields or annotation objects. A remote attacker can trick the victim into opening a crafted PDF file to execute arbitrary code.

User interaction is required to open a crafted PDF file.


How to mitigate CVE-2026-57246

Install security update from vendor's website.

Sources