Description
Flaws in page lifecycle management allow document structure changes to desynchronize internal component states, causing subsequent operations to access invalidated objects and crash the program.
Published: 2026-04-27
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (crash due to use‑after‑free)
Action: Apply Patch
AI Analysis

Impact

The report identifies a use‑after‑free flaw in Foxit PDF Editor and Reader that arises during page lifecycle management. Invalidating internal components while the document structure changes causes the application to reference freed memory, leading to a crash. The consequence for users is a denial of service, as the program terminates when the vulnerability is triggered.

Affected Systems

Foxit Software Inc. products are affected, specifically Foxit PDF Editor and Foxit PDF Reader. Version information is not supplied in the advisory, so it is unclear which releases contain the flaw.

Risk and Exploitability

The vulnerability receives a moderate CVSS score of 5.5 and an EPSS score of less than 1 %, indicating it is not a high‑probability target for widespread exploitation. The issue is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker can trigger this vulnerability by crafting a malicious PDF that is opened by the victim; a malicious file could be delivered via email or a compromised website and cause the viewer to crash. This suggests the attack vector is user‑initiated via a malicious document, and the risk to business operations is mainly interruption rather than data compromise.

Generated by OpenCVE AI on April 28, 2026 at 13:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest version of Foxit PDF Editor or Reader to eliminate the use‑after‑free flaw.
  • Avoid opening PDF files from untrusted sources, and consider disabling JavaScript execution in the viewer.
  • Run the PDF viewer in a sandboxed or isolated environment to contain any crashes and prevent the application from affecting the rest of the system.

Generated by OpenCVE AI on April 28, 2026 at 13:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Foxit
Foxit pdf Editor
Foxit pdf Reader
CPEs cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:*
cpe:2.3:a:foxit:pdf_reader:*:*:*:*:*:*:*:*
Vendors & Products Foxit
Foxit pdf Editor
Foxit pdf Reader

Tue, 28 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Foxitsoftware
Foxitsoftware foxit Pdf Editor
Foxitsoftware foxit Reader
Vendors & Products Foxitsoftware
Foxitsoftware foxit Pdf Editor
Foxitsoftware foxit Reader

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 11:30:00 +0000

Type Values Removed Values Added
Description Flaws in page lifecycle management allow document structure changes to desynchronize internal component states, causing subsequent operations to access invalidated objects and crash the program.
Title Foxit PDF Editor/Reader AcroForm Signature Use-After-Free Vulnerability
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Foxit Pdf Editor Pdf Reader
Foxitsoftware Foxit Pdf Editor Foxit Reader
cve-icon MITRE

Status: PUBLISHED

Assigner: Foxit

Published:

Updated: 2026-04-27T13:43:18.769Z

Reserved: 2026-04-09T03:42:17.871Z

Link: CVE-2026-5942

cve-icon Vulnrichment

Updated: 2026-04-27T13:40:19.477Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-27T12:16:24.603

Modified: 2026-04-29T17:18:37.597

Link: CVE-2026-5942

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T13:15:31Z

Weaknesses