Foxit PDF Reader and Notepad++ flaws expose users to code execution and memory leaks
Foxit PDF Reader received fixes for two vulnerabilities in AcroForm Signature object handling that can be triggered when a user opens a malicious document or visits a malicious page. CVE-2026-5941 (ZDI-26-302) is a use-after-free flaw that can lead to remote code execution in the current process context, while CVE-2026-5942 (ZDI-26-303) is a related use-after-free bug that can disclose sensitive information and could be chained with other issues to achieve code execution. Zero Day Initiative said Foxit has released updates for the affected software.
Notepad++ also patched multiple vulnerabilities, including CVE-2026-3008, a string injection issue in the FindInFiles functionality tied to the nativeLang.xml find-result-hits field when it contains a %s format specifier. The flaw can crash the application or leak sensitive memory address information, and vendor reporting said CVE-2026-6539 was fixed in the same release. Notepad++ version 8.9.4 was issued to remediate the bugs, and Germany's dCERT separately warned that the product's vulnerabilities could enable denial of service or information disclosure.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
dCERT issues advisory on multiple Notepad++ vulnerabilities
Germany's dCERT published Advisory 2026-1260 warning that multiple Notepad++ vulnerabilities could allow denial of service or information disclosure. The advisory aligns with reporting around the patched Notepad++ flaws.
Notepad++ 8.9.4 released to fix CVE-2026-3008 and CVE-2026-6539
Notepad++ Product Owner Mr Hazley Samsudin released version 8.9.4 to remediate CVE-2026-3008, a string injection flaw in FindInFiles that can crash the application or leak memory address information, along with CVE-2026-6539. Patch details were published on the project's GitHub issue tracker.
ZDI publishes advisories for Foxit PDF Reader CVE-2026-5941 and CVE-2026-5942
The Zero Day Initiative publicly released advisories ZDI-26-302 and ZDI-26-303 covering Foxit PDF Reader vulnerabilities CVE-2026-5941 and CVE-2026-5942. ZDI said the bugs could enable remote code execution or information disclosure and noted the information disclosure issue could be chained with other flaws.
Foxit releases fixes for two PDF Reader AcroForm Signature flaws
Foxit made updates available to address two vulnerabilities in Foxit PDF Reader's handling of AcroForm Signature objects: CVE-2026-5941, a use-after-free remote code execution flaw, and CVE-2026-5942, a use-after-free information disclosure flaw. Both issues require user interaction such as opening a malicious file or visiting a malicious page.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Notepad++ Vulnerability Allows Attackers to Crash Application, Leak Memory Data
cybersecuritynews.com
Open sourcedCERT - Advisory 2026-1260 - Notepad++: Multiple Vulnerabilities allow DoS or information disclosure
dcert.de
Open sourceZDI-26-303 | Zero Day Initiative
zerodayinitiative.com
Open sourceZDI-26-302 | Zero Day Initiative
zerodayinitiative.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Foxit PDF Reader Patches Annotation Use-After-Free RCE Flaws
Foxit PDF Reader has patched two remotely exploitable use-after-free vulnerabilities in its handling of annotation-related objects, disclosed as **CVE-2026-5940** and **CVE-2026-5943** through Zero Day Initiative advisories **ZDI-26-301** and **ZDI-26-304**. Both flaws stem from insufficient validation that an object still exists before operations are performed on it, creating memory corruption conditions that can let an attacker execute arbitrary code in the context of the current process. Exploitation requires user interaction, including opening a malicious PDF file or visiting a malicious page that triggers the vulnerable code path. One issue affects Annotation object handling broadly, while the other specifically involves **AcroForm Annotation** objects; each carries a **CVSS 7.8** severity rating. The bugs were reported to Foxit on March 30, 2026, and the vendor released updates in coordination with public disclosure to remediate the vulnerabilities.
May 24, 2026
Multiple Vulnerabilities Disclosed in Foxit PDF Reader and Editor
German authorities published advisories for **multiple vulnerabilities** affecting **Foxit PDF Reader** and **Foxit PDF Editor**, indicating ongoing security issues across the vendor's desktop PDF products. The notices identify separate advisory entries, `2026-0914` and `2026-1256`, covering flaws in both **Reader** and **Editor** and signaling that organizations using Foxit software should review the affected versions and available vendor guidance. The repeated disclosures suggest a broader patch-management concern for enterprises that rely on Foxit for document handling, particularly because PDF applications are common targets for malicious document-based exploitation. Security teams should prioritize validating installed Foxit versions, applying relevant updates, and monitoring for suspicious PDF-related activity on endpoints where Foxit Reader or Editor is deployed.
Apr 27, 2026
Foxit Reader U3D Parsing Flaws Allowed Code Execution via Malicious PDFs
Foxit Reader contained two memory-corruption vulnerabilities in the `U3DBrowser` plug-in used to render embedded 3D annotations in PDF files, allowing attackers to trigger heap corruption with specially crafted PDF content. **CVE-2019-6983** stemmed from a malformed U3D File Header Block that caused an allocation-size miscalculation through a casting error, followed by an oversized `fread()` into a much smaller heap buffer. **CVE-2019-6982** involved a malformed U3D CLOD Mesh Declaration Block with invalid Inverse Quantization values, producing an 8-byte out-of-bounds heap write beyond a `malloc`-allocated buffer. The flaws affected Foxit Reader 9.x builds, including version `9.1.0.5096` with `U3DBrowser.fpi 9.1.0.425` and version `9.0.1.1049` with `U3DBrowser.fpi 9.0.1.994`. In both cases, successful exploitation could lead to arbitrary code execution in the context of the logged-on user when a victim opened a malicious PDF containing crafted 3D content. Foxit was notified of the issues and released fixes on January 3, 2019, later acknowledging the vulnerabilities in its security bulletins.
May 24, 2026