Login Sign Up

CVE-2021-31470

7.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability in Foxit Reader allows remote attackers to execute arbitrary code by tricking users into opening malicious PDF files containing specially crafted U3D objects. The flaw exists due to improper validation of U3D objects before performing operations on them. Users of affected Foxit Reader versions are at risk.

💻 Affected Systems

Products:
  • Foxit Reader
Versions: 10.1.1.37576 and earlier versions
Operating Systems: Windows, macOS, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations of affected versions are vulnerable. User interaction required (opening malicious PDF).

📦 What is this software?

3d by Foxitsoftware

View all CVEs affecting 3d →

3d by Foxitsoftware

View all CVEs affecting 3d →

3d by Foxitsoftware

View all CVEs affecting 3d →

3d by Foxitsoftware

View all CVEs affecting 3d →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via remote code execution with user privileges, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Malicious actors deliver targeted phishing emails with malicious PDF attachments, leading to malware installation or credential theft on individual workstations.

🟢

If Mitigated

Limited impact with proper endpoint protection, application whitelisting, and user training preventing successful exploitation.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires user to open malicious PDF. Proof-of-concept code is publicly available through ZDI advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Foxit Reader 10.1.2 or later

Vendor Advisory: https://www.foxitsoftware.com/support/security-bulletins.php

Restart Required: Yes

Instructions:

1. Download latest Foxit Reader from official website. 2. Run installer. 3. Restart system. 4. Verify version is 10.1.2 or higher.

🔧 Temporary Workarounds

Disable U3D support

all

Disable U3D object rendering in Foxit Reader settings

Open Foxit Reader > File > Preferences > Trust Manager > Disable U3D support

Use alternative PDF reader

all

Temporarily use a different PDF reader that is not vulnerable

🧯 If You Can't Patch

  • Implement application whitelisting to block unauthorized executables
  • Deploy endpoint detection and response (EDR) to monitor for suspicious PDF file execution

🔍 How to Verify

Check if Vulnerable:

Check Foxit Reader version: Open Foxit Reader > Help > About. If version is 10.1.1.37576 or earlier, system is vulnerable.

Check Version:

On Windows: wmic product where name="Foxit Reader" get version

Verify Fix Applied:

Verify version is 10.1.2 or higher in About dialog. Test with known safe PDF containing U3D objects.

📡 Detection & Monitoring

Log Indicators:

  • Foxit Reader crash logs with U3D-related errors
  • Windows Event Logs showing unexpected process creation from Foxit Reader

Network Indicators:

  • Outbound connections from Foxit Reader process to unknown IPs
  • DNS requests for suspicious domains after PDF opening

SIEM Query:

process_name:"FoxitReader.exe" AND (event_id:1000 OR event_id:1001) AND message:"U3D"

📊 Metadata

CVE ID: CVE-2021-31470
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: May 7, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-31470, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)