Foxit PDF Reader Zero-Day Allows Remote Code Execution via Malicious PDFs
A critical use-after-free vulnerability in Foxit PDF Reader's AcroForm Signature handling allows remote attackers to execute arbitrary code, with a patch now available.
A critical use-after-free vulnerability in Foxit PDF Reader, tracked as CVE-2026-5941, allows remote attackers to execute arbitrary code on affected installations. The flaw, disclosed by the Zero Day Initiative (ZDI) on April 27, 2026, resides in the software's handling of Signature objects within AcroForm fields. An attacker can exploit this by convincing a user to open a malicious PDF file or visit a specially crafted web page.
The vulnerability stems from a use-after-free condition, where the software fails to validate the existence of an object before performing operations on it. This memory corruption bug can be leveraged to execute arbitrary code in the context of the current process. The flaw carries a CVSS score of 7.8, indicating high severity, with a vector string of AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.
Foxit PDF Reader is widely used across enterprises and individual users for viewing, editing, and signing PDF documents. The vulnerability affects all versions prior to the latest update, though the specific affected version range has not been disclosed. Given the popularity of Foxit PDF Reader, the potential attack surface is significant, particularly in environments where PDF handling is a routine task.
Foxit has issued a security update to address CVE-2026-5941. Users are strongly advised to update their Foxit PDF Reader installations to the latest version available from the company's security bulletins page. The update can be found at Foxit's security bulletins. No workarounds or mitigations have been provided beyond applying the patch.
The vulnerability was reported to Foxit on March 30, 2026, and the coordinated public release of the advisory occurred on April 27, 2026. The researcher who discovered the flaw chose to remain anonymous. There is no evidence of active exploitation in the wild at the time of disclosure, but the availability of technical details may prompt threat actors to develop exploits.
This disclosure is part of a broader trend of memory corruption vulnerabilities in PDF readers and document processing software. Use-after-free bugs remain a common class of vulnerability, often leading to remote code execution. Users and organizations should prioritize patching such software, especially when it is used to handle untrusted documents from external sources.