Login Sign Up

CVE-2021-21796

7.8 HIGH
Remote Code Execution

📋 TL;DR

A use-after-free vulnerability in Nitro Pro PDF's JavaScript engine allows remote code execution when a user opens a malicious PDF document. This affects users of vulnerable Nitro Pro PDF versions, potentially enabling attackers to execute arbitrary code with the application's privileges.

💻 Affected Systems

Products:
  • Nitro Pro PDF
Versions: Versions prior to 13.31.0.605
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations of affected versions are vulnerable when opening PDF files with JavaScript enabled.

📦 What is this software?

Nitro Pro by Gonitro

View all CVEs affecting Nitro Pro →

Nitro Pro by Gonitro

View all CVEs affecting Nitro Pro →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via arbitrary code execution with the privileges of the Nitro Pro PDF application, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Malicious PDF documents delivered via phishing or compromised websites lead to code execution, enabling credential theft, malware installation, or data exfiltration.

🟢

If Mitigated

With proper patching and security controls, impact is limited to application crashes or denial of service without code execution.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires user interaction to open a malicious PDF, but the vulnerability is reliably exploitable for code execution.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 13.31.0.605 and later

Vendor Advisory: https://www.gonitro.com/nps/security/updates

Restart Required: Yes

Instructions:

1. Open Nitro Pro PDF. 2. Go to Help > Check for Updates. 3. Follow prompts to install version 13.31.0.605 or later. 4. Restart the application.

🔧 Temporary Workarounds

Disable JavaScript in Nitro Pro PDF

windows

Prevents exploitation by disabling JavaScript execution in PDF documents.

Open Nitro Pro PDF > File > Preferences > Security > Uncheck 'Enable JavaScript'

Block PDF files at network perimeter

all

Prevent delivery of malicious PDFs via email or web downloads.

🧯 If You Can't Patch

  • Implement application whitelisting to block unauthorized executables from Nitro Pro PDF process.
  • Use endpoint detection and response (EDR) to monitor for suspicious process creation from Nitro Pro PDF.

🔍 How to Verify

Check if Vulnerable:

Check Nitro Pro PDF version in Help > About. If version is below 13.31.0.605, the system is vulnerable.

Check Version:

Not applicable - check via GUI in Help > About

Verify Fix Applied:

Confirm version is 13.31.0.605 or higher in Help > About after patching.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes of Nitro Pro PDF with memory access violations
  • Unusual process creation from nitro_pro.exe

Network Indicators:

  • Downloads of PDF files from suspicious sources followed by Nitro Pro PDF execution

SIEM Query:

Process creation where parent_process_name contains 'nitro_pro.exe' AND (process_name contains 'cmd.exe' OR process_name contains 'powershell.exe')

📊 Metadata

CVE ID: CVE-2021-21796
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: October 18, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21796, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)