Login Sign Up

CVE-2021-40420

8.8 HIGH
Remote Code Execution

📋 TL;DR

A use-after-free vulnerability in Foxit PDF Reader's JavaScript engine allows arbitrary code execution when a user opens a malicious PDF file or visits a malicious website with the browser plugin enabled. This affects users of Foxit PDF Reader version 11.1.0.52543 who open untrusted PDF documents.

💻 Affected Systems

Products:
  • Foxit PDF Reader
Versions: 11.1.0.52543
Operating Systems: Windows, macOS, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Browser plugin must be enabled for web-based exploitation; opening malicious PDF files directly affects all configurations.

📦 What is this software?

Pdf Reader by Foxit

View all CVEs affecting Pdf Reader →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control of the victim's computer, enabling data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Malware installation leading to credential theft, data exfiltration, or system disruption through common attack vectors like phishing emails with malicious attachments.

🟢

If Mitigated

No impact if users avoid opening untrusted PDFs, disable JavaScript in PDF reader, or have updated to patched version.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires user interaction (opening file or visiting malicious site); technical details and proof-of-concept are publicly available in Talos reports.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.1.1 or later

Vendor Advisory: https://www.foxit.com/support/security-bulletins.html

Restart Required: Yes

Instructions:

1. Open Foxit PDF Reader. 2. Go to Help > Check for Updates. 3. Follow prompts to install latest version (11.1.1+). 4. Restart computer after installation.

🔧 Temporary Workarounds

Disable JavaScript in PDF Reader

all

Prevents JavaScript execution in PDF files, blocking the primary exploitation vector.

Open Foxit Reader > File > Preferences > JavaScript > Uncheck 'Enable JavaScript'

Disable Browser Plugin

all

Prevents web-based exploitation through malicious websites.

Browser settings > Extensions/Add-ons > Disable Foxit PDF Reader plugin

🧯 If You Can't Patch

  • Restrict PDF file opening to trusted sources only through application whitelisting or policy controls.
  • Use alternative PDF readers that are not vulnerable to this specific CVE.

🔍 How to Verify

Check if Vulnerable:

Check Foxit PDF Reader version in Help > About. If version is exactly 11.1.0.52543, system is vulnerable.

Check Version:

On Windows: wmic product where name="Foxit Reader" get version

Verify Fix Applied:

Confirm version is 11.1.1 or higher in Help > About.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected Foxit Reader crashes
  • Process creation from Foxit Reader with suspicious command lines

Network Indicators:

  • Outbound connections from Foxit Reader process to unknown IPs
  • DNS requests for suspicious domains after PDF opening

SIEM Query:

process_name:"FoxitReader.exe" AND (event_id:1 OR parent_process_name:"FoxitReader.exe")

📊 Metadata

CVE ID: CVE-2021-40420
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: February 4, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-40420, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)