CVE-2021-21870Use After Free in Foxit Reader

CWE-416Use After Free5 documents4 sources
Severity
8.8HIGHNVD
EPSS
0.9%
top 24.87%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Foxitsoftware Foxit ReaderFoxit PDF Reader
Timeline
PublishedAug 5
Latest updateMay 24

Description

A use-after-free vulnerability exists in the JavaScript engine of Foxit Software’s PDF Reader, version 10.1.4.37651. A specially crafted PDF document can trigger the reuse of previously free memory, which can lead to arbitrary code execution. An attacker needs to trick the user into opening a malicious file or site to trigger this vulnerability if the browser plugin extension is enabled.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

NVDfoxit/pdf_reader10.1.4.37651
CVEListV5foxitsoftware/foxit_readerFoxit Reader 10.1.4.37651

🔴Vulnerability Details

2
GHSA
GHSA-4cm9-vfcj-fcm5: A use-after-free vulnerability exists in the JavaScript engine of Foxit Software’s PDF Reader, version 102022-05-24
CVEList
CVE-2021-21870: A use-after-free vulnerability exists in the JavaScript engine of Foxit Software’s PDF Reader, version 102021-08-05

🕵️Threat Intelligence

2
Talos
Vulnerability Spotlight: Use-after-free vulnerabilities in Foxit PDF Reader2021-07-27
Talos
Vulnerability Spotlight: Use-after-free vulnerabilities in Foxit PDF Reader2021-07-27
CVE-2021-21870 — Use After Free in Foxit Reader | cvebase