Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
The application's list box calculate array logic keeps stale references to page or form objects after they are deleted or re-created, which allows crafted documents to trigger a use-after-free when the calculation runs and can potentially lead to arbitrary code execution.
AnalysisAI
Use-after-free in Foxit PDF Reader and Editor allows arbitrary code execution when processing maliciously crafted PDF documents containing list box calculation arrays. The vulnerability (CVSS 7.8) occurs when stale references to deleted or re-created page/form objects persist in calculation logic, enabling local attackers to execute code with user privileges when victims open weaponized PDFs. No public exploit identified at time of analysis, though the memory corruption primitive is well-understood by exploit developers.
Technical ContextAI
This vulnerability stems from improper lifecycle management of JavaScript calculation arrays associated with PDF form list box objects in Foxit's rendering engine. When PDF documents programmatically delete or re-create page or form objects while list box calculations reference them, the calculation engine retains dangling pointers to freed memory regions. Classified as CWE-416 (Use After Free), this memory safety issue allows the calculation logic to dereference freed heap objects during subsequent operations. Affects both Foxit PDF Reader (cpe:2.3:a:foxit_software_inc.:foxit_pdf_reader) and Foxit PDF Editor (cpe:2.3:a:foxit_software_inc.:foxit_pdf_editor), suggesting the shared component is the JavaScript runtime or form field calculation engine used across both products. Use-after-free vulnerabilities in PDF readers are particularly dangerous because PDFs support complex scripting capabilities and object graphs that can precisely manipulate memory state.
RemediationAI
Organizations should immediately consult Foxit's security bulletin at https://www.foxit.com/support/security-bulletins.html to identify the specific patched versions for their deployed products. Vendor-released patch availability is indicated in the security bulletin, though exact remediated version numbers are not specified in the intelligence data provided. As an interim mitigation until patching is complete, organizations can deploy application control policies to block JavaScript execution in PDF documents through Foxit's preferences (Edit > Preferences > JavaScript > Enable JavaScript), though this may break legitimate form functionality. Additional defense-in-depth measures include restricting PDF file sources through email gateway filtering, deploying endpoint detection and response solutions configured to detect heap spray and ROP chain behaviors typical of use-after-free exploitation, and educating users to avoid opening PDF attachments from untrusted sources. Given the local attack vector requiring user interaction, security awareness training significantly reduces exploitation probability.
More in Foxit Pdf Editor
View allUse-after-free memory corruption in Foxit PDF Reader and Foxit PDF Editor lets a crafted PDF containing JavaScript trigg
Use-after-free memory corruption in Foxit PDF Reader and Foxit PDF Editor (versions 2026.1.1/14.0.4 and earlier) allows
Denial-of-service (and potential memory-corruption) in Foxit PDF Editor (≤14.0.4 / ≤13.2.4 / ≤2026.1.1) and Foxit PDF Re
Denial-of-service in Foxit PDF Reader and Foxit PDF Editor (versions 2026.1.1 and earlier) occurs when a victim opens a
Memory corruption in Foxit PDF Reader and Foxit PDF Editor (versions 2026.1.1, 13.2.4, 14.0.4 and earlier) allows attack
Memory corruption in Foxit PDF Reader and Foxit PDF Editor allows a crafted PDF to trigger a use-after-free through the
Use-after-free memory corruption in Foxit PDF Reader (2026.1.1 and earlier) and Foxit PDF Editor (through 14.0.4, 13.2.4
Memory corruption in Foxit PDF Reader (≤2026.1.1) and Foxit PDF Editor (≤14.0.4, ≤13.2.4, and ≤2026.1.1) allows an attac
Memory-corruption (buffer overflow) in Foxit PDF Reader and Foxit PDF Editor arises when the digital-signature plugin pr
Memory-corruption crash (and potential code execution) in Foxit PDF Reader and Foxit PDF Editor occurs when a PDF's embe
Use-after-free memory corruption in Foxit PDF Editor and Foxit PDF Reader allows a crafted PDF to crash the application
Denial of service in Foxit PDF Editor and Foxit PDF Reader arises when the application renders a PDF containing cloud-st
Same weakness CWE-416 – Use After Free
View allSame technique Use After Free
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17759