Foxit Editor/Reader List Box Format Use-After-Free Vulnerability
Summary
| CVE | CVE-2026-57256 |
|---|---|
| State | PUBLISHED |
| Assigner | Foxit |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-08 09:16:33 UTC |
| Updated | 2026-07-08 09:16:33 UTC |
| Description | When the application opens a PDF and executes JavaScript, it performs abnormal operations on the list box field, and this operation is repeated after the form is reset. During this process, the application failed to adequately verify the validity of the form objects and their internal dictionary pointers, resulting in accessing internal members of invalid or improperly initialized fields. This led to an illegal pointer read, ultimately causing the application to crash. |
Risk And Classification
Primary CVSS: v3.1 7.8 HIGH from 14984358-7092-470d-8f34-ade47a7658a2
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Problem Types: CWE-416 | CWE-416 CWE-416 Use after free
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | 14984358-7092-470d-8f34-ade47a7658a2 | Secondary | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| 3.1 | CNA | CVSS | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
LowPrivileges Required
NoneUser Interaction
RequiredScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Foxit Software Inc. | Foxit PDF Editor | affected Versions 2026.1.1 and earlier | Windows |
| CNA | Foxit Software Inc. | Foxit PDF Editor | affected Versions 14.0.4 and earlier | Windows |
| CNA | Foxit Software Inc. | Foxit PDF Editor | affected Versions 13.2.4 and earlier | Windows |
| CNA | Foxit Software Inc. | Foxit PDF Editor | affected Versions 2026.1.1 and earlier | MacOS |
| CNA | Foxit Software Inc. | Foxit PDF Editor | affected Versions 14.0.3 and earlier | MacOS |
| CNA | Foxit Software Inc. | Foxit PDF Reader | affected Versions 2026.1.1 and earlier | Windows, MacOS |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.foxit.com/support/security-bulletins.html | 14984358-7092-470d-8f34-ade47a7658a2 | www.foxit.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: KPC of Cisco Talos (en)
There are currently no legacy QID mappings associated with this CVE.