CVE-2026-3776NULL Pointer Dereference in Software INC Foxit PDF Editor

CWE-476NULL Pointer Dereference3 documents3 sources
Severity
5.5MEDIUMNVD
EPSS
0.0%
top 96.66%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Foxit Software INC Foxit PDF EditorFoxit Software INC Foxit PDF Reader
Timeline
PublishedApr 1

Description

The application does not validate the presence of required appearance (AP) data before accessing stamp annotation resources. When a PDF contains a stamp annotation missing its AP entry, the code continues to dereference the associated object without a prior null or validity check, which allows a crafted document to trigger a null pointer dereference and crash the application, resulting in denial of service.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages2 packages

CVEListV5foxit_software_inc/foxit_pdf_editorVersions 13.2.2 and earlier, Versions 14.0.2 and earlier, Versions 2025.3 and earlier+2
CVEListV5foxit_software_inc/foxit_pdf_readerVersions 2025.3 and earlier

🔴Vulnerability Details

2
CVEList
Null pointer dereference in Foxit PDF Editor/Reader when accessing stamp annotation2026-04-01
GHSA
GHSA-m7gh-37pm-cchx: The application does not validate the presence of required appearance (AP) data before accessing stamp annotation resources2026-04-01
CVE-2026-3776 — NULL Pointer Dereference | cvebase