Login Sign Up

CVE-2021-31457

7.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability in Foxit Reader allows remote attackers to execute arbitrary code by tricking users into opening malicious PDF files. The flaw exists in how Annotation objects are handled without proper validation, enabling code execution in the current process context. Users of affected Foxit Reader versions are at risk.

💻 Affected Systems

Products:
  • Foxit Reader
Versions: 10.1.1.37576 and earlier versions
Operating Systems: Windows, macOS, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations of affected versions are vulnerable. User interaction required (opening malicious PDF).

📦 What is this software?

Phantompdf by Foxitsoftware

View all CVEs affecting Phantompdf →

Phantompdf by Foxitsoftware

View all CVEs affecting Phantompdf →

Reader by Foxitsoftware

View all CVEs affecting Reader →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining the same privileges as the user running Foxit Reader, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Malicious code execution leading to malware installation, credential theft, or unauthorized access to sensitive documents.

🟢

If Mitigated

Limited impact with proper application sandboxing and user privilege restrictions, potentially containing the exploit to the application context.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploit requires user interaction (opening malicious file). ZDI published advisory with technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.1.2.37627 and later

Vendor Advisory: https://www.foxitsoftware.com/support/security-bulletins.php

Restart Required: Yes

Instructions:

1. Open Foxit Reader. 2. Go to Help > Check for Updates. 3. Follow prompts to install latest version. 4. Restart computer after installation.

🔧 Temporary Workarounds

Disable JavaScript in Foxit Reader

all

Prevents JavaScript-based exploitation vectors

File > Preferences > JavaScript > Uncheck 'Enable JavaScript'

Use Protected View

all

Opens files in restricted mode by default

File > Preferences > Trust Manager > Check 'Enable Safe Reading Mode'

🧯 If You Can't Patch

  • Temporarily switch to alternative PDF readers like Adobe Reader or browser-based viewers
  • Implement application whitelisting to block Foxit Reader execution

🔍 How to Verify

Check if Vulnerable:

Check Foxit Reader version in Help > About. If version is 10.1.1.37576 or earlier, system is vulnerable.

Check Version:

On Windows: wmic product where name="Foxit Reader" get version

Verify Fix Applied:

Verify version is 10.1.2.37627 or later in Help > About.

📡 Detection & Monitoring

Log Indicators:

  • Foxit Reader crash logs with memory access violations
  • Unexpected child processes spawned from Foxit Reader

Network Indicators:

  • Outbound connections from Foxit Reader to unknown IPs
  • DNS requests for suspicious domains after PDF opening

SIEM Query:

process_name:"FoxitReader.exe" AND (event_id:1000 OR event_id:1001) AND exception_code:0xc0000005

📊 Metadata

CVE ID: CVE-2021-31457
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: May 7, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-31457, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)