Foxit PDF Reader and Foxit PDF Editor Use-After-Free Vulnerability Allowing Arbitrary Code Execution

A use-after-free vulnerability has been identified in Foxit PDF Reader and Foxit PDF Editor. This vulnerability arises from the application's list box calculation logic, which retains outdated references to page or form objects after they have been deleted or recreated. As a result, crafted documents can trigger a use-after-free condition during the calculation process, potentially leading to arbitrary code execution. The vulnerability is present in Foxit PDF Reader versions through 2025.3.0.35737 and in Foxit PDF Editor versions 2025.3.0.35737 and earlier, as well as several previous 2024.x, 2023.x, and 14.x versions.

Impact

Exploitation of this vulnerability could result in arbitrary code execution on the user's system.

Remediation

Users can update to Foxit PDF Reader 2026.1 or Foxit PDF Editor 2026.1. Instructions for updating or downloading the latest versions are available on the Foxit website. For Mac users, Foxit PDF Reader and Foxit PDF Editor for Mac have also been updated to version 2026.1, with similar update instructions.