Foxit PDF Reader Patches Annotation Use-After-Free RCE Flaws
Foxit PDF Reader has patched two remotely exploitable use-after-free vulnerabilities in its handling of annotation-related objects, disclosed as CVE-2026-5940 and CVE-2026-5943 through Zero Day Initiative advisories ZDI-26-301 and ZDI-26-304. Both flaws stem from insufficient validation that an object still exists before operations are performed on it, creating memory corruption conditions that can let an attacker execute arbitrary code in the context of the current process.
Exploitation requires user interaction, including opening a malicious PDF file or visiting a malicious page that triggers the vulnerable code path. One issue affects Annotation object handling broadly, while the other specifically involves AcroForm Annotation objects; each carries a CVSS 7.8 severity rating. The bugs were reported to Foxit on March 30, 2026, and the vendor released updates in coordination with public disclosure to remediate the vulnerabilities.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
ZDI publicly discloses CVE-2026-5940 and CVE-2026-5943
The Zero Day Initiative publicly released advisories ZDI-26-301 and ZDI-26-304 for two Foxit PDF Reader remote code execution vulnerabilities. The disclosures described use-after-free bugs with CVSS 7.8 severity and noted that exploitation requires user interaction.
Foxit releases updates to remediate the two PDF Reader flaws
Foxit issued software updates to fix the two use-after-free vulnerabilities in PDF Reader that were later assigned CVE-2026-5940 and CVE-2026-5943. The advisories state the fixes were available by the time of coordinated public disclosure.
Foxit notified of two PDF Reader use-after-free vulnerabilities
Zero Day Initiative reported two remote code execution flaws in Foxit PDF Reader to Foxit: CVE-2026-5940 involving Annotation object handling and CVE-2026-5943 involving AcroForm Annotation object handling. Both issues could allow arbitrary code execution if a user opens a malicious file or visits a malicious page.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Foxit PDF Reader and Notepad++ flaws expose users to code execution and memory leaks
Foxit PDF Reader received fixes for two vulnerabilities in AcroForm Signature object handling that can be triggered when a user opens a malicious document or visits a malicious page. **CVE-2026-5941** (`ZDI-26-302`) is a use-after-free flaw that can lead to remote code execution in the current process context, while **CVE-2026-5942** (`ZDI-26-303`) is a related use-after-free bug that can disclose sensitive information and could be chained with other issues to achieve code execution. Zero Day Initiative said Foxit has released updates for the affected software. Notepad++ also patched multiple vulnerabilities, including **CVE-2026-3008**, a string injection issue in the `FindInFiles` functionality tied to the `nativeLang.xml` `find-result-hits` field when it contains a `%s` format specifier. The flaw can crash the application or leak sensitive memory address information, and vendor reporting said **CVE-2026-6539** was fixed in the same release. Notepad++ version **8.9.4** was issued to remediate the bugs, and Germany's dCERT separately warned that the product's vulnerabilities could enable denial of service or information disclosure.
Apr 27, 2026
Foxit Reader U3D Parsing Flaws Allowed Code Execution via Malicious PDFs
Foxit Reader contained two memory-corruption vulnerabilities in the `U3DBrowser` plug-in used to render embedded 3D annotations in PDF files, allowing attackers to trigger heap corruption with specially crafted PDF content. **CVE-2019-6983** stemmed from a malformed U3D File Header Block that caused an allocation-size miscalculation through a casting error, followed by an oversized `fread()` into a much smaller heap buffer. **CVE-2019-6982** involved a malformed U3D CLOD Mesh Declaration Block with invalid Inverse Quantization values, producing an 8-byte out-of-bounds heap write beyond a `malloc`-allocated buffer. The flaws affected Foxit Reader 9.x builds, including version `9.1.0.5096` with `U3DBrowser.fpi 9.1.0.425` and version `9.0.1.1049` with `U3DBrowser.fpi 9.0.1.994`. In both cases, successful exploitation could lead to arbitrary code execution in the context of the logged-on user when a victim opened a malicious PDF containing crafted 3D content. Foxit was notified of the issues and released fixes on January 3, 2019, later acknowledging the vulnerabilities in its security bulletins.
May 24, 2026
Adobe Acrobat and Reader Use-After-Free Flaws in PDF Form Field JavaScript
Adobe patched two use-after-free vulnerabilities in Acrobat and Reader, tracked as **CVE-2019-8038** and **CVE-2019-8039**, that affect version `2019.012.20035` and earlier. The flaws are triggered when JavaScript in a PDF manipulates form fields during callbacks, allowing a `Document.Field` object to be freed through `document.removeField` while native code continues to use it. STAR Labs reported that the resulting memory corruption can crash the application and may be exploitable for code execution within Adobe's sandboxed context. The bugs involve insufficient validation around PDF form field handling in `removeField`, with one issue tied to `CTextWidget` objects during Format events and the other to `CTextField` objects during property assignment and hierarchical field naming. Researchers showed that protections could be bypassed by altering `event.target` during nested callbacks or abusing field hierarchies so a field is deleted mid-operation. Adobe acknowledged and fixed both issues in security bulletin **APSB19-41** following coordinated disclosure through ZDI.
May 24, 2026