Login Sign Up

CVE-2021-38563

9.8 CRITICAL

📋 TL;DR

This vulnerability in Foxit PDF software allows attackers to trigger memory corruption through malformed PDF files, potentially leading to remote code execution. It affects all users of Foxit PDF Reader and PDF Editor versions before 11.0.1. The high CVSS score indicates critical severity requiring immediate attention.

💻 Affected Systems

Products:
  • Foxit PDF Reader
  • Foxit PDF Editor
Versions: All versions before 11.0.1
Operating Systems: Windows, macOS, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Pdf Editor by Foxitsoftware

View all CVEs affecting Pdf Editor →

Pdf Reader by Foxit

View all CVEs affecting Pdf Reader →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with SYSTEM/root privileges, allowing complete system compromise and data exfiltration.

🟠

Likely Case

Application crash leading to denial of service, with potential for information disclosure through memory leaks.

🟢

If Mitigated

Application crash with no data loss if proper sandboxing and memory protections are enabled.

🌐 Internet-Facing: HIGH - PDF files are commonly downloaded from the internet and email attachments.
🏢 Internal Only: MEDIUM - Internal users may open malicious PDFs from compromised internal systems or phishing campaigns.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction to open a malicious PDF file. No authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.0.1 and later

Vendor Advisory: https://www.foxitsoftware.com/support/security-bulletins.php

Restart Required: Yes

Instructions:

1. Open Foxit software. 2. Go to Help > Check for Updates. 3. Follow prompts to install version 11.0.1 or later. 4. Restart computer after installation.

🔧 Temporary Workarounds

Disable JavaScript in Foxit

all

Prevents some exploitation vectors by disabling JavaScript execution in PDF files

File > Preferences > JavaScript > Uncheck 'Enable JavaScript'

Use Protected View

all

Open PDFs in protected/sandboxed mode to limit potential damage

File > Preferences > Trust Manager > Check 'Enable Safe Reading Mode'

🧯 If You Can't Patch

  • Block PDF files at network perimeter using content filtering
  • Use alternative PDF readers that are not vulnerable

🔍 How to Verify

Check if Vulnerable:

Check Foxit version: Open Foxit > Help > About Foxit Reader/Editor. If version is below 11.0.1, you are vulnerable.

Check Version:

On Windows: wmic product where "name like 'Foxit%'" get version

Verify Fix Applied:

Verify version is 11.0.1 or higher in Help > About, then test opening known safe PDF files.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes in Windows Event Logs
  • Unexpected memory access errors
  • Foxit process termination with error codes

Network Indicators:

  • PDF file downloads from suspicious sources
  • Multiple PDF files with similar hash patterns

SIEM Query:

source="Windows Security" AND event_id=1000 AND process_name="Foxit*.exe" AND (exception_code=0xc0000005 OR exception_code=0xc0000409)

📊 Metadata

CVE ID: CVE-2021-38563
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-129
Published: August 11, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-38563, you might also want to check these:

CVE-2020-27483 9.9

This vulnerability in Garmin Forerunner 235 devices allows attackers to potentially execute arbitrar...

Same vulnerability type (CWE-129)
CVE-2020-27485 9.9

This vulnerability in Garmin Forerunner 235 devices allows malicious ConnectIQ store applications to...

Same vulnerability type (CWE-129)
CVE-2023-28004 9.8

This vulnerability allows attackers to send specially crafted Ethernet requests to improperly valida...

Same vulnerability type (CWE-129)