Login Sign Up

CVE-2021-34950

7.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability in Foxit PDF Reader allows remote attackers to execute arbitrary code by tricking users into opening malicious PDF files. The flaw exists in how Annotation objects are handled, enabling out-of-bounds reads that can lead to remote code execution. All users of affected Foxit PDF Reader versions are at risk.

💻 Affected Systems

Products:
  • Foxit PDF Reader
Versions: Versions prior to 11.1.0.52543
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations of affected versions are vulnerable. User interaction required (opening malicious PDF).

📦 What is this software?

Pdf Editor by Foxit

View all CVEs affecting Pdf Editor →

Pdf Editor by Foxit

View all CVEs affecting Pdf Editor →

Pdf Editor by Foxit

View all CVEs affecting Pdf Editor →

Pdf Reader by Foxit

View all CVEs affecting Pdf Reader →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the victim's computer, potentially leading to data theft, ransomware deployment, or lateral movement within networks.

🟠

Likely Case

Malicious code execution in the context of the current user, allowing file access, credential theft, and installation of additional malware.

🟢

If Mitigated

Limited impact with proper security controls like application sandboxing, privilege separation, and network segmentation preventing lateral movement.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires user interaction but no authentication. The vulnerability is well-documented and likely incorporated into exploit kits.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.1.0.52543 and later

Vendor Advisory: https://www.foxit.com/support/security-bulletins.html

Restart Required: Yes

Instructions:

1. Open Foxit PDF Reader
2. Go to Help > Check for Updates
3. Follow prompts to update to version 11.1.0.52543 or later
4. Restart the application

🔧 Temporary Workarounds

Disable JavaScript in Foxit Reader

windows

Prevents JavaScript-based exploitation vectors that might leverage this vulnerability

File > Preferences > JavaScript > Uncheck 'Enable JavaScript'

Use Protected View

windows

Open PDFs in protected mode to limit potential damage

File > Preferences > General > Check 'Open documents in Protected View'

🧯 If You Can't Patch

  • Use alternative PDF readers that are not vulnerable
  • Implement application whitelisting to block Foxit Reader execution

🔍 How to Verify

Check if Vulnerable:

Check Foxit Reader version: Help > About Foxit Reader. If version is below 11.1.0.52543, you are vulnerable.

Check Version:

wmic product where "name like 'Foxit%Reader%'" get version

Verify Fix Applied:

Verify version is 11.1.0.52543 or higher in Help > About Foxit Reader.

📡 Detection & Monitoring

Log Indicators:

  • Foxit Reader crash logs with memory access violations
  • Unexpected child processes spawned from Foxit Reader
  • Network connections initiated by Foxit Reader process

Network Indicators:

  • Downloads of PDF files from suspicious sources
  • Outbound connections from Foxit Reader to unknown IPs

SIEM Query:

process_name:"FoxitReader.exe" AND (event_id:1000 OR event_id:1001) AND (exception_code:0xc0000005 OR exception_code:0xc0000409)

📊 Metadata

CVE ID: CVE-2021-34950
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-125
Published: May 7, 2024
Last Updated: August 13, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-34950, you might also want to check these:

CVE-2021-41556 10.0

CVE-2021-41556 is a critical out-of-bounds read vulnerability in Squirrel scripting language that al...

Same vulnerability type (CWE-125)
CVE-2024-22004 10.0

This vulnerability allows attackers with privileged access on Linux non-secure operating systems to ...

Same vulnerability type (CWE-125)
CVE-2021-21777 10.0

CVE-2021-21777 is a critical out-of-bounds read vulnerability in the Ethernet/IP UDP handler of OpEN...

Same vulnerability type (CWE-125)