CVE-2026-3776

Summary

The application does not validate the presence of required appearance (AP) data before accessing stamp annotation resources. When a PDF contains a stamp annotation missing its AP entry, the code continues to dereference the associated object without a prior null or validity check, which allows a crafted document to trigger a null pointer dereference and crash the application, resulting in denial of service.

Affected Software

VendorProductVersion RangeStatus
Foxit Software Inc.Foxit PDF EditorVersions 2025.3 and earlieraffected
Foxit Software Inc.Foxit PDF EditorVersions 14.0.2 and earlieraffected
Foxit Software Inc.Foxit PDF EditorVersions 13.2.2 and earlieraffected
Foxit Software Inc.Foxit PDF ReaderVersions 2025.3 and earlieraffected

Weaknesses

  • CWE-476: CWE-476 NULL pointer dereference

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References