Login Sign Up

CVE-2021-21822

8.8 HIGH
Remote Code Execution

📋 TL;DR

A use-after-free vulnerability in Foxit PDF Reader's JavaScript engine allows arbitrary code execution when users open malicious PDF files. This affects Foxit PDF Reader version 10.1.3.37598 users, particularly when the browser plugin extension is enabled. Attackers can exploit this by tricking users into opening specially crafted PDF documents.

💻 Affected Systems

Products:
  • Foxit PDF Reader
Versions: 10.1.3.37598
Operating Systems: Windows, Linux, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Browser plugin extension must be enabled for web-based exploitation; local file opening is always vulnerable.

📦 What is this software?

Foxit Reader by Foxitsoftware

View all CVEs affecting Foxit Reader →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining the same privileges as the user, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Malware installation leading to credential theft, data exfiltration, or system disruption for individual users.

🟢

If Mitigated

Limited impact with proper application sandboxing and user privilege restrictions, potentially only crashing the PDF reader application.

🌐 Internet-Facing: MEDIUM - Requires user interaction to open malicious PDF, but PDFs are commonly shared via email and web.
🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or malicious documents in shared drives.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires user interaction but has been publicly documented in vulnerability reports.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.1.4 or later

Vendor Advisory: https://www.foxit.com/support/security-bulletins.html

Restart Required: Yes

Instructions:

1. Open Foxit PDF Reader. 2. Go to Help > Check for Updates. 3. Follow prompts to install latest version. 4. Restart computer after installation.

🔧 Temporary Workarounds

Disable JavaScript in Foxit Reader

all

Prevents JavaScript execution in PDF files, mitigating the vulnerability.

Open Foxit Reader > File > Preferences > JavaScript > Uncheck 'Enable JavaScript'

Disable Browser Plugin

all

Prevents exploitation via web browsers.

Open Foxit Reader > File > Preferences > General > Uncheck 'Enable PDF viewing in web browsers'

🧯 If You Can't Patch

  • Restrict PDF file opening to trusted sources only
  • Run Foxit Reader with limited user privileges

🔍 How to Verify

Check if Vulnerable:

Check Foxit Reader version: Open Foxit > Help > About Foxit Reader. If version is 10.1.3.37598 or earlier, system is vulnerable.

Check Version:

On Windows: wmic product where name="Foxit Reader" get version

Verify Fix Applied:

Verify version is 10.1.4 or later in Help > About Foxit Reader.

📡 Detection & Monitoring

Log Indicators:

  • Multiple Foxit Reader crashes
  • Unusual process spawning from Foxit Reader

Network Indicators:

  • Unexpected outbound connections from Foxit Reader process

SIEM Query:

process_name:"FoxitReader.exe" AND (event_id:1000 OR event_id:1001) | where version contains "10.1.3"

📊 Metadata

CVE ID: CVE-2021-21822
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: May 10, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21822, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)