Description
When the application opens a PDF file and JavaScript writes annotation attributes, there is a lack of sufficient object type and argument checks. As a result, due to the damage to the internal structure of the annotations, it causes the application to crash during subsequent release.
Published: 2026-07-08
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Foxit PDF Editor and Reader allow JavaScript in PDF files to write annotation attributes without adequate object type and argument validation. This flaw corrupts the internal annotation structure, causing the application to crash when those annotations are released. The vulnerability results in an application crash, which constitutes a denial‑of‑service condition. The weakness corresponds to CWE‑763, Improper Release of Resource after Release.

Affected Systems

The affected vendors are Foxit Software Inc. The impacted products are Foxit PDF Editor and Foxit PDF Reader. No specific version information is supplied in the current advisory, so all released versions of these products may be vulnerable until a patch is issued.

Risk and Exploitability

The CVSS score is 7.8, indicating a high severity. No EPSS value is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been widely exploited in the wild. The likely attack route is the delivery of a malicious PDF containing JavaScript that manipulates annotation attributes. If a user opens such a file, the flaw would be triggered, leading to a crash. Therefore, attackers could use this vulnerability to disrupt desktop users or automate denial‑of‑service attacks within an environment that trusts PDF files.

Generated by OpenCVE AI on July 8, 2026 at 15:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install any available Foxit PDF Editor or Reader update that contains a fix for the annotation crash.
  • Disable JavaScript execution for PDFs in the application preferences to reduce the window of exploitation.
  • If no update is available immediately, avoid opening PDFs from untrusted or unknown sources, and consider running Foxit in a sandboxed environment to contain any crash.

Generated by OpenCVE AI on July 8, 2026 at 15:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Jul 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 08 Jul 2026 08:30:00 +0000

Type Values Removed Values Added
Description When the application opens a PDF file and JavaScript writes annotation attributes, there is a lack of sufficient object type and argument checks. As a result, due to the damage to the internal structure of the annotations, it causes the application to crash during subsequent release.
Title Foxit PDF Editor/Reader Annotation Improper Release Vulnerability
Weaknesses CWE-763
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Foxit

Published:

Updated: 2026-07-08T12:38:26.513Z

Reserved: 2026-06-24T03:01:18.717Z

Link: CVE-2026-57248

cve-icon Vulnrichment

Updated: 2026-07-08T12:38:19.063Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-08T15:15:04Z

Weaknesses
  • CWE-763

    Release of Invalid Pointer or Reference