Description
The application does not validate the presence of required appearance (AP) data before accessing stamp annotation resources. When a PDF contains a stamp annotation missing its AP entry, the code continues to dereference the associated object without a prior null or validity check, which allows a crafted document to trigger a null pointer dereference and crash the application, resulting in denial of service.
Published: 2026-04-01
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Now
AI Analysis

Impact

Foxit PDF Editor and Reader contain a null pointer dereference when processing stamp annotations that lack required appearance data. A crafted PDF document can trigger the application to crash, leading to a denial of service for the affected user.

Affected Systems

Products affected are Foxit PDF Editor and Foxit PDF Reader across platforms supported by the application, including macOS and Windows. No specific version information is provided, so all current releases should be checked for updates.

Risk and Exploitability

The vulnerability has a CVSS score of 5.5, indicating moderate severity, and an EPSS score of less than 1 percent, suggesting a low likelihood of exploitation in the wild. It is not listed in the CISA KEV catalog. Attackers could exploit it by creating and opening a malicious PDF file, typically from a user’s local environment or from an untrusted source. The impact is limited to application crashes without privilege escalation or data theft.

Generated by OpenCVE AI on April 14, 2026 at 21:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Foxit PDF Editor or Reader to the latest version that includes the fix.
  • Verify that the update is installed on all devices running the application.
  • If an update is not yet available, restrict opening of PDFs from untrusted sources until the patch is applied.

Generated by OpenCVE AI on April 14, 2026 at 21:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Foxit
Foxit pdf Editor
Foxit pdf Reader
Microsoft
Microsoft windows
CPEs cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:*
cpe:2.3:a:foxit:pdf_reader:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Foxit
Foxit pdf Editor
Foxit pdf Reader
Microsoft
Microsoft windows

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Foxitsoftware
Foxitsoftware foxit Pdf Editor
Foxitsoftware foxit Reader
Vendors & Products Foxitsoftware
Foxitsoftware foxit Pdf Editor
Foxitsoftware foxit Reader

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description The application does not validate the presence of required appearance (AP) data before accessing stamp annotation resources. When a PDF contains a stamp annotation missing its AP entry, the code continues to dereference the associated object without a prior null or validity check, which allows a crafted document to trigger a null pointer dereference and crash the application, resulting in denial of service.
Title Null pointer dereference in Foxit PDF Editor/Reader when accessing stamp annotation
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Apple Macos
Foxit Pdf Editor Pdf Reader
Foxitsoftware Foxit Pdf Editor Foxit Reader
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Foxit

Published:

Updated: 2026-04-02T02:12:28.499Z

Reserved: 2026-03-08T03:43:23.264Z

Link: CVE-2026-3776

cve-icon Vulnrichment

Updated: 2026-04-01T14:17:15.666Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T02:16:02.590

Modified: 2026-04-14T17:55:57.200

Link: CVE-2026-3776

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:45:09Z

Weaknesses