CVE-2026-57248
Received
Received - Intake
Memory Corruption in PDF Viewer Due to Annotation Handling
Vulnerability report for CVE-2026-57248, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-08
Last updated on: 2026-07-08
Assigner: Foxit
Description
Description
When the application opens a PDF file and JavaScript writes annotation attributes, there is a lack of sufficient object type and argument checks. As a result, due to the damage to the internal structure of the annotations, it causes the application to crash during subsequent release.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| foxit | pdf_reader | to 2024.2.3.25184 (exc) |
| foxit | pdf_editor | From 2024.0.0 (inc) to 2023.3.0.23028 (exc) |
| foxit | pdf_editor | to 2023.3.0.23028 (exc) |
| foxit | pdf_editor | to 13.1.3.22478 (exc) |
| foxit | pdf_editor | to 12.1.7.15526 (exc) |
| foxit | pdf_editor | to 11.2.10.53951 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-763 | The product attempts to return a memory resource to the system, but it calls the wrong release function or calls the appropriate release function incorrectly. |