CVE-2026-5940
Received
Received - Intake
Use-After-Free Vulnerability in UI Refresh Causes Application Crashes
Publication date: 2026-04-27
Last updated on: 2026-04-29
Assigner: Foxit
Description
Description
Calling a function that triggers a UI refresh after removing comments via a script may access an invalidated object, leading to program crashes.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| foxit | pdf_editor | to 13.2.4 (exc) |
| foxit | pdf_editor | From 14.0.0 (inc) to 14.0.4 (exc) |
| foxit | pdf_editor | From 2023.0.0 (inc) to 2026.1.1 (exc) |
| foxit | pdf_reader | to 2026.1.1 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs when a function that triggers a user interface (UI) refresh is called after comments have been removed via a script. The problem is that this function may try to access an object that has already been invalidated or removed, which can cause the program to crash.
How can this vulnerability impact me? :
The impact of this vulnerability includes potential program crashes due to accessing invalidated objects during UI refresh. This can lead to denial of service or loss of availability of the affected software.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70