CVE-2021-34954 – This is a use-after-free vulnerability in Foxit... (How to Fix)

Q: What is the severity of CVE-2021-34954?

CVE-2021-34954 has a CVSS score of 7.8 (HIGH). This is a use-after-free vulnerability in Foxit PDF Editor's handling of StrikeOut annotations that allows remote code execution. Attackers can exploit it by tricking users into opening malicious PDF files, potentially compromising affected systems. Users of vulnerable Foxit PDF Editor versions are at risk.

📋 TL;DR

This is a use-after-free vulnerability in Foxit PDF Editor's handling of StrikeOut annotations that allows remote code execution. Attackers can exploit it by tricking users into opening malicious PDF files, potentially compromising affected systems. Users of vulnerable Foxit PDF Editor versions are at risk.

💻 Affected Systems

Products:

Foxit PDF Editor

Versions: Versions prior to 11.1.0.52543

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Foxit Reader may also be affected but not explicitly confirmed in available advisories.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining the same privileges as the current user, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Malicious code execution in user context leading to credential theft, data exfiltration, or malware installation.

🟢

If Mitigated

Limited impact with proper application sandboxing and user privilege restrictions, potentially only application crash.

🌐 Internet-Facing: MEDIUM - Requires user interaction to open malicious file, but PDFs are commonly shared via email and web.

🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or malicious documents in shared drives.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires user interaction to open malicious PDF. ZDI published technical details but no public exploit code.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.1.0.52543 and later

Vendor Advisory: https://www.foxit.com/support/security-bulletins.html

Restart Required: Yes

Instructions:

1. Download latest version from Foxit website. 2. Run installer. 3. Restart system. 4. Verify version is 11.1.0.52543 or higher.

🔧 Temporary Workarounds

Disable PDF handling in Foxit

windows

Set Windows default PDF handler to alternative application

Control Panel > Default Programs > Set Default Programs > Select alternative PDF reader

Application Control Policy

windows

Block execution of vulnerable Foxit versions via AppLocker or similar

New-AppLockerPolicy -RuleType Publisher,Path -User Everyone -Action Deny

🧯 If You Can't Patch

Implement application sandboxing to limit impact of potential exploitation
Restrict user privileges to prevent system-wide compromise if exploited

🔍 How to Verify

Check if Vulnerable:

Check Foxit PDF Editor version in Help > About. If version is below 11.1.0.52543, system is vulnerable.

Check Version:

wmic product where name="Foxit PDF Editor" get version

Verify Fix Applied:

Verify version is 11.1.0.52543 or higher in Help > About and test opening known safe PDFs with StrikeOut annotations.

📡 Detection & Monitoring

Log Indicators:

Application crashes with exception codes related to memory access violations
Unusual child processes spawned from FoxitPDFEditor.exe

Network Indicators:

Unexpected outbound connections from Foxit process post-PDF opening
DNS requests to suspicious domains after PDF processing

SIEM Query:

process_name="FoxitPDFEditor.exe" AND (event_id=1000 OR child_process_creation=true)

📊 Metadata

CVE ID: CVE-2021-34954

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: May 7, 2024

Last Updated: August 13, 2025

🔗 References

https://www.foxit.com/support/security-bulletins.html Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-1185/ Third Party Advisory
https://www.foxit.com/support/security-bulletins.html Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-1185/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-34954, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Pdf Editor by Foxit

Pdf Editor by Foxit

Pdf Editor by Foxit

Pdf Reader by Foxit

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable PDF handling in Foxit

Application Control Policy

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities