Login Sign Up

CVE-2021-34956

7.8 HIGH
Remote Code Execution

📋 TL;DR

This is a use-after-free vulnerability in Foxit PDF Editor's underline annotation handling that allows remote attackers to execute arbitrary code. Users who open malicious PDF files or visit malicious web pages with Foxit PDF Editor are affected. The vulnerability exists due to improper validation of annotation objects before operations.

💻 Affected Systems

Products:
  • Foxit PDF Editor
Versions: Versions prior to 11.1.0.52543
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: This affects Foxit PDF Editor specifically, not Foxit Reader. User interaction is required (opening malicious PDF).

📦 What is this software?

Pdf Editor by Foxit

View all CVEs affecting Pdf Editor →

Pdf Editor by Foxit

View all CVEs affecting Pdf Editor →

Pdf Editor by Foxit

View all CVEs affecting Pdf Editor →

Pdf Reader by Foxit

View all CVEs affecting Pdf Reader →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining the same privileges as the current user, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Local privilege escalation or arbitrary code execution within the context of the Foxit PDF Editor process, potentially leading to malware installation.

🟢

If Mitigated

Limited impact due to sandboxing or application hardening, potentially only application crash or denial of service.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires user interaction (opening malicious PDF). The vulnerability was discovered by Zero Day Initiative (ZDI-CAN-14357).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.1.0.52543 and later

Vendor Advisory: https://www.foxit.com/support/security-bulletins.html

Restart Required: Yes

Instructions:

1. Download latest version from Foxit website. 2. Run installer. 3. Restart system. 4. Verify version is 11.1.0.52543 or higher.

🔧 Temporary Workarounds

Disable PDF opening in Foxit Editor

windows

Change default PDF handler to alternative PDF reader

Control Panel > Default Programs > Set Default Programs > Select alternative PDF reader

Application sandboxing

windows

Run Foxit PDF Editor in restricted environment

🧯 If You Can't Patch

  • Use alternative PDF software for opening untrusted PDFs
  • Implement application whitelisting to prevent unauthorized execution

🔍 How to Verify

Check if Vulnerable:

Check Foxit PDF Editor version in Help > About. If version is below 11.1.0.52543, system is vulnerable.

Check Version:

In Foxit PDF Editor: Help > About

Verify Fix Applied:

Verify version is 11.1.0.52543 or higher in Help > About. Test opening known safe PDFs to ensure functionality.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes of Foxit PDF Editor
  • Unusual process creation from Foxit PDF Editor

Network Indicators:

  • Downloads of PDF files from suspicious sources
  • Outbound connections from Foxit process to unknown IPs

SIEM Query:

Process:foxit* AND (EventID:1000 OR ParentImage:*foxit*)

📊 Metadata

CVE ID: CVE-2021-34956
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: May 7, 2024
Last Updated: August 13, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-34956, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)