CVE-2021-34960 – This is a use-after-free vulnerability in Foxit... (How to Fix)

Q: What is the severity of CVE-2021-34960?

CVE-2021-34960 has a CVSS score of 7.8 (HIGH). This is a use-after-free vulnerability in Foxit PDF Editor's handling of Circle Annotation objects, allowing remote attackers to execute arbitrary code when a user opens a malicious PDF file or visits a malicious webpage. It affects users of Foxit PDF Editor who interact with untrusted PDF content, potentially leading to full system compromise.

📋 TL;DR

This is a use-after-free vulnerability in Foxit PDF Editor's handling of Circle Annotation objects, allowing remote attackers to execute arbitrary code when a user opens a malicious PDF file or visits a malicious webpage. It affects users of Foxit PDF Editor who interact with untrusted PDF content, potentially leading to full system compromise.

💻 Affected Systems

Products:

Foxit PDF Editor

Versions: Versions prior to 11.1.0.52543

Operating Systems: Windows, macOS, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations with vulnerable versions are affected; no special configuration is required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the current user, leading to complete system takeover, data theft, or ransomware deployment.

🟠

Likely Case

Malicious actors trick users into opening crafted PDFs, resulting in malware installation or credential harvesting.

🟢

If Mitigated

With patching and security controls, risk is reduced to minimal, though user error could still trigger exploitation.

🌐 Internet-Facing: MEDIUM, as exploitation requires user interaction (e.g., downloading and opening a malicious PDF), but phishing campaigns can widely distribute exploits.

🏢 Internal Only: MEDIUM, as internal users might open malicious attachments from emails or shared drives, but network segmentation can limit lateral movement.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward once a malicious PDF is crafted, but requires user interaction to open the file.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.1.0.52543 and later

Vendor Advisory: https://www.foxit.com/support/security-bulletins.html

Restart Required: Yes

Instructions:

1. Open Foxit PDF Editor. 2. Go to Help > Check for Updates. 3. Follow prompts to install version 11.1.0.52543 or newer. 4. Restart the application after installation.

🔧 Temporary Workarounds

Disable PDF opening in Foxit Editor

windows

Change default PDF handler to a non-vulnerable application like Adobe Reader or a web browser.

Windows: Control Panel > Default Programs > Set Default Programs, select alternative PDF viewer

Restrict execution of Foxit PDF Editor

windows

Use application control policies to block Foxit PDF Editor from running, especially for untrusted users.

Windows: Use Group Policy or AppLocker to deny Foxit executable

🧯 If You Can't Patch

Implement strict email filtering to block malicious PDF attachments and educate users on phishing risks.
Use endpoint detection and response (EDR) tools to monitor for suspicious process execution from Foxit PDF Editor.

🔍 How to Verify

Check if Vulnerable:

Check the Foxit PDF Editor version: open the application, go to Help > About, and verify if version is below 11.1.0.52543.

Check Version:

On Windows: wmic product where name="Foxit PDF Editor" get version

Verify Fix Applied:

After updating, confirm the version is 11.1.0.52543 or higher in Help > About.

📡 Detection & Monitoring

Log Indicators:

Unusual process spawns from Foxit PDF Editor, crash logs related to annotation handling

Network Indicators:

Downloads of PDF files from untrusted sources, followed by Foxit process activity

SIEM Query:

Process creation where parent process contains 'Foxit' and command line includes '.pdf' from suspicious IPs

📊 Metadata

CVE ID: CVE-2021-34960

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: May 7, 2024

Last Updated: August 13, 2025

🔗 References

https://www.foxit.com/support/security-bulletins.html Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-1191/ Third Party Advisory
https://www.foxit.com/support/security-bulletins.html Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-1191/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-34960, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Pdf Editor by Foxit

Pdf Editor by Foxit

Pdf Editor by Foxit

Pdf Reader by Foxit

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable PDF opening in Foxit Editor

Restrict execution of Foxit PDF Editor

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities