Description
When the application opens a PDF file and JavaScript deletes the PDF fields, the subsequent logic still uses the old field pointers, resulting in invalid pointer references and causing the application to crash.
Published: 2026-07-08
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

When a PDF file containing JavaScript deletes form fields, the Foxit PDF Editor and Reader still use the old pointers to those fields. This leads to a use‑after‑free condition that can trigger a crash. The flaw is categorized as CWE‑416 and, while the description states a crash, the reported vulnerability is presented as a remote code execution flaw, indicating that an attacker might be able to exploit the invalid pointer to execute arbitrary code.

Affected Systems

Foxit Software Inc.'s Foxit PDF Editor and Foxit PDF Reader are affected. No specific version information is provided, so any potentially vulnerable build of these products should be evaluated.

Risk and Exploitability

The CVSS score of 7.8 places the flaw in the high severity range, yet the EPSS score is unavailable and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is the user opening a malicious PDF file, either locally or over a network. Exploitation would require JavaScript execution within the PDF and deallocation of form fields, conditions that an attacker can engineer with a crafted document.

Generated by OpenCVE AI on July 8, 2026 at 15:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Foxit PDF Editor or Reader update that addresses the use‑after‑free issue.
  • Disable JavaScript execution for PDF files through the application settings to prevent the script from deleting fields.
  • Use a sandboxed environment or restrict privileges for the PDF reader when viewing untrusted documents.

Generated by OpenCVE AI on July 8, 2026 at 15:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Jul 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 08 Jul 2026 08:30:00 +0000

Type Values Removed Values Added
Description When the application opens a PDF file and JavaScript deletes the PDF fields, the subsequent logic still uses the old field pointers, resulting in invalid pointer references and causing the application to crash.
Title Foxit PDF Editor/Reader Form Field Use-After-Free Remote Code Execution Vulnerability
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Foxit

Published:

Updated: 2026-07-08T12:20:15.388Z

Reserved: 2026-06-24T03:01:15.648Z

Link: CVE-2026-57240

cve-icon Vulnrichment

Updated: 2026-07-08T12:17:24.215Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-08T15:15:04Z

Weaknesses