Foxit Patches Critical PDF Flaws Enabling RCE, Privilege Escalation on Windows
Foxit has issued emergency security updates to remediate a cluster of critical memory-corruption flaws in its Windows PDF products that could be abused for remote code execution (RCE) and local privilege escalation (LPE).
The July 8, 2026 security bulletin covers multiple use‑after‑free (UAF) vulnerabilities and related memory-safety issues across Foxit PDF Reader and Foxit PDF Editor release branches, and the vendor recommends immediate patching.
At the core of this advisory are numerous UAF defects (CWE-416) triggered when the product processes malformed PDF content containing embedded JavaScript.
Use‑after‑free occurs when an application continues to reference memory after it has been freed, allowing an attacker to cause crashes or to craft conditions that let controlled data be executed as code.
Foxit Patches Critical PDF Flaws
Foxit confirmed affected builds include Foxit PDF Reader up through 2026.1.1.36485 and many Foxit PDF Editor versions across 2026.x, 2025.x, 2024.x, 2023.x and legacy 14.x/13.x branches. Patches are available in Foxit PDF Reader 2026.1.2, Foxit PDF Editor 2026.1.2, and Foxit PDF Editor 14.0.5.
| CVE ID | CWE Category | Impact |
|---|---|---|
| CVE-2026-13126 | Use After Free (CWE-416) | Arbitrary Code Execution |
| CVE-2026-13127 | Use After Free (CWE-416) | Arbitrary Code Execution |
| CVE-2026-13128 | Use After Free (CWE-416) | Arbitrary Code Execution |
| CVE-2026-13129 | Use After Free (CWE-416) | Arbitrary Code Execution |
| CVE-2026-57237 | Use After Free (CWE-416) | Arbitrary Code Execution |
| CVE-2026-57238 | Use After Free (CWE-416) | Arbitrary Code Execution |
| CVE-2026-57240 | Use After Free (CWE-416) | Arbitrary Code Execution |
| CVE-2026-57242 | Use After Free (CWE-416) | Arbitrary Code Execution |
| CVE-2026-57244 | Use After Free (CWE-416) | Arbitrary Code Execution |
| CVE-2026-57245 | Use After Free (CWE-416) | Arbitrary Code Execution |
| CVE-2026-57247 | Use After Free (CWE-416) | Arbitrary Code Execution |
| CVE-2026-57249 | Use After Free (CWE-416) | Arbitrary Code Execution |
| CVE-2026-57250 | Use After Free (CWE-416) | Arbitrary Code Execution |
| CVE-2026-57252 | Use After Free (CWE-416) | Arbitrary Code Execution |
| CVE-2026-57256 | Use After Free (CWE-416) | Arbitrary Code Execution |
| CVE-2026-57239 | Uncontrolled Search Path Element (CWE-427) | Local Privilege Escalation |
| CVE-2026-57246 | Buffer Copy Without Checking Size of Input (CWE-120) | Arbitrary Code Execution |
| CVE-2026-57248 | Release of Invalid Pointer or Reference (CWE-763) | Arbitrary Code Execution |
| CVE-2026-57251 | Improper Validation of Array Index (CWE-129) | Arbitrary Code Execution |
| CVE-2026-57254 | Type Confusion (CWE-843) | Arbitrary Code Execution |
| CVE-2026-57260 | Out-of-Bounds Write (CWE-787) | Arbitrary Code Execution |
Attackers typically weaponize malformed PDFs by embedding JavaScript or other objects that exercise vulnerable code paths. When the user opens the file in an unpatched reader/editor, the crafted input can trigger UAF and related memory corruption.
Enabling either arbitrary code execution under the current user account or, in the case of the updater DLL issue, local privilege escalation if the attacker has write access to locations used during update checks.
Several of the vulnerabilities were reported by external researchers and coordinated through TrendAI Zero Day Initiative and other contributors.
Mitigation
- Apply vendor fixes immediately: upgrade to Foxit PDF Reader 2026.1.2, Foxit PDF Editor 2026.1.2, or Foxit PDF Editor 14.0.5 as applicable.
- Reduce attack surface: disable JavaScript execution in Foxit products where feasible, since most exploit chains rely on embedded JavaScript to trigger memory corruption.
- Hardening: run PDF readers with least privilege, use application control (allowlisting) to prevent execution of unsigned binaries, and enable OS-level mitigations such as DEP/NX and ASLR.
- Network and email controls: block or sandbox incoming PDF attachments from untrusted sources; employ advanced threat detection that flags anomalous PDF structures and embedded scripts.
- Monitor and respond: watch for indicators of compromise and anomalous child processes or persistence following document opens; prioritize incident response if suspicious behavior is detected.
- This batch of fixes underscores the persistent risk of memory-safety bugs in legacy document-rendering code and the continued effectiveness of weaponized PDF files that carry JavaScript payloads.
Organizations should prioritize patch deployment, disable unnecessary JavaScript in readers, and combine endpoint controls and secure update practices to mitigate both remote and local attack vectors.
No Comment! Be the first one.