CVE-2026-5940

High

Published: 27 April 2026

Published

27 April 2026

Modified

29 April 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0001 2.8th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5940 is a high-severity Use After Free (CWE-416) vulnerability in Foxit Pdf Editor. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 2.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 mandates timely remediation of known flaws, directly addressing this use-after-free vulnerability through application of Foxit vendor patches.

SI-16 Memory Protection good match

prevent

SI-16 implements memory safeguards like ASLR and DEP that protect against exploitation of use-after-free errors by preventing execution from invalidated memory objects.

SI-11 Error Handling partial match

prevent

SI-11 provides error and exception handling to mitigate crashes and potential integrity/compromise from accessing invalidated objects post-comment removal.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Use-after-free in Foxit client software (PDF/JS handling) enables client-side code execution via malicious file triggering the flaw after script-based comment removal and UI refresh.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Calling a function that triggers a UI refresh after removing comments via a script may access an invalidated object, leading to program crashes.

Deeper analysisAI

CVE-2026-5940 is a use-after-free vulnerability (CWE-416) affecting Foxit software, as detailed in the vendor's security bulletins. The issue arises when a function that triggers a UI refresh is called after comments are removed via a script, resulting in access to an invalidated object and subsequent program crashes. It carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and was published on 2026-04-27T12:16:24.377.

The vulnerability can be exploited by a local attacker requiring low complexity and user interaction, but no special privileges. Successful exploitation enables high impacts on confidentiality, integrity, and availability, potentially allowing severe compromise beyond mere crashes.

Foxit's security advisory at https://www.foxit.com/support/security-bulletins.html provides details on patches and mitigation recommendations.

Details

CWE(s): CWE-416

Affected Products

foxit

pdf editor

≤ 13.2.4 · 14.0.0 — 14.0.4 · 2023.0.0 — 2026.1.1

foxit

pdf reader

≤ 2026.1.1

CVEs Like This One

CVE-2026-5943Same product: Foxit Pdf Editor

CVE-2026-5941Same product: Foxit Pdf Editor

CVE-2026-3777Same product: Foxit Pdf Editor

CVE-2025-32451Same product: Foxit Pdf Reader

CVE-2026-3774Same product: Foxit Pdf Editor

CVE-2026-3775Same product: Foxit Pdf Editor

CVE-2025-0762Shared CWE-416

CVE-2025-11756Shared CWE-416

CVE-2025-11460Shared CWE-416

CVE-2026-25997Shared CWE-416

References

https://www.foxit.com/support/security-bulletins.html
Vendor Advisory · 14984358-7092-470d-8f34-ade47a7658a2