Release of invalid pointer or reference in Foxit PDF Editor (formerly Foxit PhantomPDF) and Foxit PDF Reader for Windows - CVE-2026-57248

 

Release of invalid pointer or reference in Foxit PDF Editor (formerly Foxit PhantomPDF) and Foxit PDF Reader for Windows - CVE-2026-57248

Published: July 8, 2026


Vulnerability identifier: #VU137072
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-57248
CWE-ID: CWE-763
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Foxit Software Inc.
Affected software:
Foxit PDF Editor (formerly Foxit PhantomPDF)
Foxit PDF Reader for Windows

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to release of invalid pointer or reference in Foxit PDF Reader and Foxit PDF Editor when handling certain PDFs embedded with JavaScript to modify annotation attributes. A remote attacker can trick the victim into opening a crafted PDF file to execute arbitrary code.

User interaction is required to open a crafted PDF file.


How to mitigate CVE-2026-57248

Install security update from vendor's website.

Sources