Foxit PDF Reader CVE-2026-5943 Use-After-Free RCE Exploited via

Executive Summary

Foxit PDF Reader contains a use-after-free vulnerability in its AcroForm annotation handling that can be exploited for remote code execution (RCE) without authentication, according to an advisory published April 28, 2026, by the Zero Day Initiative (ZDI). The flaw, tracked as CVE-2026-5943, carries a CVSS v3.1 base score of 7.8 (High). Exploitation requires user interaction — the target must open a malicious PDF file or visit a page that loads a crafted PDF. ZDI reported the issue to Foxit but has not disclosed whether a patch is available as of the advisory date.

Technical Analysis

The vulnerability resides in the way Foxit PDF Reader processes AcroForm annotations — interactive form elements embedded in PDF documents. A use-after-free condition occurs when the software fails to properly manage memory after freeing an object related to annotation handling. An attacker who crafts a PDF with a malformed or specially sequenced AcroForm annotation can trigger the flaw, causing the application to dereference a dangling pointer. This can lead to arbitrary code execution in the context of the current user.

ZDI's advisory (ZDI-26-304) notes that the vulnerability is reachable from the default attack surface: no special permissions or configurations are required beyond the standard PDF reader installation. The CVSS vector string reflects a low attack complexity and no privileges required, though the attack vector is local (requiring file open or page visit). The user interaction requirement is the primary mitigating factor.

The advisory does not specify the affected Foxit PDF Reader version range. ZDI typically withholds version details until a patch is available to prevent active exploitation. As of this writing, Foxit has not issued a public security bulletin or updated version for CVE-2026-5943.

Mitigations & Recommendations

Until Foxit releases a patched version of PDF Reader, defenders should treat all unsolicited PDF files as potential attack vectors. Organizations using Foxit PDF Reader in enterprise environments should consider:

• Restricting PDF file downloads from untrusted sources at the email gateway or web proxy.
• Enabling Microsoft Defender Attack Surface Reduction (ASR) rules that block Office or PDF applications from creating child processes.
• Using sandboxed PDF viewers or browser-based PDF rendering where possible to limit the impact of code execution.
• Monitoring for unusual process activity originating from Foxit PDF Reader, such as spawning cmd.exe, PowerShell, or network connections.

ZDI's disclosure policy typically allows vendors 120 days to patch before public release. If Foxit has not yet shipped a fix, users may be in an extended exposure window. No workarounds have been published by Foxit or ZDI.