Foxit PDF Reader AcroForm Use-After-Free Flaw Allows Remote Code Execution
A use-after-free vulnerability in Foxit PDF Reader's handling of AcroForm Annotation objects, tracked as CVE-2026-5943, allows attackers to execute arbitrary code by tricking users into opening a malicious PDF file.
Foxit PDF Reader users are urged to apply the latest security update following the disclosure of a critical use-after-free vulnerability in the software's handling of AcroForm Annotation objects. The flaw, assigned CVE-2026-5943 and reported through the Zero Day Initiative (ZDI-26-304), carries a CVSS score of 7.8 and could allow remote attackers to execute arbitrary code on affected installations.
The vulnerability resides in the way Foxit PDF Reader manages Annotation objects. Specifically, the software fails to validate the existence of an object before performing operations on it, leading to a use-after-free condition. An attacker can exploit this by crafting a malicious PDF file and convincing a user to open it, either by visiting a compromised website or opening the file directly. Successful exploitation grants the attacker code execution in the context of the current process, potentially leading to full system compromise.
Foxit PDF Reader is widely used across enterprises and individual users for viewing, editing, and signing PDF documents. The vulnerability affects all versions of the software prior to the latest security update. Given the prevalence of PDF-based phishing attacks, this flaw poses a significant risk to organizations that rely on Foxit PDF Reader for daily document workflows.
Foxit has issued a security update to address the vulnerability. Users are strongly advised to update their software to the latest version as soon as possible. The update is available through Foxit's official security bulletins page. No in-the-wild exploitation has been reported at the time of disclosure, but the availability of technical details increases the likelihood of attackers developing exploits.
The vulnerability was reported to Foxit on March 30, 2026, and the coordinated public release of the advisory occurred on April 27, 2026. The researcher who discovered the flaw chose to remain anonymous. This disclosure follows a pattern of increasing scrutiny on PDF reader security, as these applications remain a primary vector for initial access in targeted attacks.
Organizations should prioritize patching Foxit PDF Reader across all endpoints and consider implementing application whitelisting or sandboxing to mitigate the risk of exploitation. User awareness training on the dangers of opening unsolicited PDF files remains a critical defense layer.