CVE-2026-3776
Severity CVSS v4.0:
Pending analysis
Type:
CWE-476
NULL Pointer Dereference
Publication date:
01/04/2026
Last modified:
14/04/2026
Description
The application does not validate the presence of required appearance (AP) data before accessing stamp annotation resources. When a PDF contains a stamp annotation missing its AP entry, the code continues to dereference the associated object without a prior null or validity check, which allows a crafted document to trigger a null pointer dereference and crash the application, resulting in denial of service.
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:* | 13.2.2.24014 (including) | |
| cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:* | 14.0.0.33046 (including) | 14.0.2.33402 (including) |
| cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:* | 2023.1.0.15510 (including) | 2023.3.0.23028 (including) |
| cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:* | 2024.1.0.23997 (including) | 2024.4.1.27687 (including) |
| cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:* | 2025.1.0.27937 (including) | 2025.3.0.35737 (including) |
| cpe:2.3:a:foxit:pdf_reader:*:*:*:*:*:*:*:* | 2025.3.0.35737 (including) | |
| cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* | ||
| cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:* | 13.2.2.63349 (including) | |
| cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:* | 14.0.0.68868 (including) | 14.0.2.69164 (including) |
| cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:* | 2023.1.0.55583 (including) | 2023.3.0.63083 (including) |
| cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:* | 2024.1.0.63682 (including) | 2024.4.1.66479 (including) |
| cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:* | 2025.1.0.66692 (including) | 2025.3.0.69570 (including) |
| cpe:2.3:a:foxit:pdf_reader:*:*:*:*:*:*:*:* | 2025.3.0.69570 (including) | |
| cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page