Description
The application opened a PDF file containing an abnormal Unity 3D object. During parsing, the application incorrectly resolved a portion of the abnormal object as a pointer and used it as a valid address, ultimately causing the application to crash.
Published: 2026-07-08
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from a type confusion in Foxit’s U3D Adobe Mesh Decompression routine. During the parsing of an abnormal Unity 3D object, the editor mistakenly treats part of the object as a pointer and dereferences it as a valid address. This leads to an invalid memory access that crashes the application. The primary impact is a denial‑of‑service condition, as users cannot continue working with the affected PDF file.

Affected Systems

Foxit Software Inc.’s PDF Editor and PDF Reader products are affected. The CVE record does not specify exact version ranges, so any installation running the vulnerable component before the available fix is potentially impacted.

Risk and Exploitability

The CVSS score of 7.8 indicates a high risk of exploitation, and while the EPSS score is unavailable, the vulnerability remains unlisted in CISA’s KEV catalog. The likely attack vector is a crafted PDF file opened by a user; an attacker can embed the malformed Unity 3D object and cause the application to crash. Because the failure is confined to the local user context, the exploitation does not grant code execution or privilege escalation, but it does allow denial of service and potential user productivity loss.

Generated by OpenCVE AI on July 8, 2026 at 15:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Foxit PDF Editor or PDF Reader update that addresses the U3D Adobe Mesh Decompression issue.
  • If an update is not yet available, disable U3D support or block Unity 3D objects within the application’s settings.
  • Avoid opening PDF files from untrusted sources and educate users to verify document legitimacy before opening.

Generated by OpenCVE AI on July 8, 2026 at 15:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Jul 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 08 Jul 2026 08:30:00 +0000

Type Values Removed Values Added
Description The application opened a PDF file containing an abnormal Unity 3D object. During parsing, the application incorrectly resolved a portion of the abnormal object as a pointer and used it as a valid address, ultimately causing the application to crash.
Title Security vulnerability in Foxit PDF Editor/Reader — U3D Adobe Mesh Decompression (Type Confusion / Invalid Pointer Dereference)
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Foxit

Published:

Updated: 2026-07-08T12:47:34.866Z

Reserved: 2026-06-24T03:01:24.249Z

Link: CVE-2026-57260

cve-icon Vulnrichment

Updated: 2026-07-08T12:47:29.049Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-08T15:15:04Z

Weaknesses