CVE-2026-47911: Adobe Acrobat Reader Out-of-Bounds Write RCE Vulnerability
Adobe Acrobat Reader contains a critical flaw that allows attackers to execute arbitrary code on a user's computer by tricking them into opening a specially crafted file. The vulnerability affects multiple recent versions across Windows and macOS systems. While the flaw requires user interaction—specifically opening a malicious PDF or document—the potential impact is severe, as successful exploitation grants the attacker the same privileges as the logged-in user.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-787
- Affected products
- 5 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-47911 is an out-of-bounds write vulnerability (CWE-787) in Adobe Acrobat Reader that enables arbitrary code execution with user-level privileges. The flaw exists in versions 24.001.30365, 26.001.21651, and earlier on both Windows and macOS platforms. The vulnerability requires a victim to open a malicious file, making it a user-interaction-dependent attack vector. The out-of-bounds write mechanism allows an attacker to overwrite adjacent memory regions, potentially corrupting data structures or injecting executable code that executes in the context of the affected user.
Business impact
For organizations relying on Acrobat Reader for document handling, this vulnerability poses a significant operational risk. Successful exploitation could lead to unauthorized code execution, data theft, lateral movement within the network, or system compromise. Remote workers and users processing untrusted documents face heightened exposure. The financial impact includes potential incident response costs, data breach notification obligations, and business disruption from infected systems.
Affected systems
Adobe Acrobat Reader versions 24.001.30365 and 26.001.21651 and earlier are vulnerable. The issue affects systems running Windows and macOS. Users of Adobe Acrobat (the full suite) may also be impacted. Organizations should inventory deployed Reader versions to determine exposure scope, as adoption of recent versions varies widely across enterprise environments.
Exploitability
While the vulnerability requires user interaction—a victim must open a malicious document—the attack surface remains broad given the ubiquity of email-based document sharing and social engineering techniques. Attackers can distribute weaponized files through phishing, drive-by downloads, or file-sharing platforms. The barrier to exploitation is relatively low; no authentication or special user privileges are required to trigger the flaw. However, as of the data provided, no evidence of active exploitation in the wild has been formally documented in the CISA Known Exploited Vulnerabilities catalog.
Remediation
Immediately patch Adobe Acrobat Reader to the latest available version released after the vulnerability disclosure. Verify against Adobe's official security advisory for specific patch versions addressing this flaw. Additionally, enforce organizational policies requiring users to avoid opening unexpected document attachments, particularly from external senders. Consider deploying application whitelisting or content filtering to restrict execution of untrusted binaries.
Patch guidance
Check Adobe's official security advisory and product update channels for patched versions. Users should enable automatic updates in Acrobat Reader settings, or manually download and install the latest version from Adobe's website. Administrators should test patches in a non-production environment before enterprise rollout. Verify patch deployment across all Reader instances in your environment, including older devices or offline systems that may be overlooked during standard update cycles.
Detection guidance
Monitor for suspicious Acrobat Reader process behavior, including unexpected child processes, file writes to system directories, or network communications initiated from Reader. Endpoint Detection and Response (EDR) tools should flag out-of-bounds memory access attempts or code injection patterns targeting Reader. Log and alert on failed or unusual document opening attempts. Network-based detection should identify phishing emails with suspicious PDF attachments or downloads of malicious documents. File integrity monitoring can help detect unauthorized system modifications post-exploitation.
Why prioritize this
This vulnerability merits high priority due to its HIGH severity rating (CVSS 7.8), broad user base, and user-interaction requirement that maps directly to common attack vectors like phishing. The combination of arbitrary code execution capability, lack of special privileges needed to trigger the flaw, and the prevalence of Acrobat Reader across both enterprise and consumer environments creates substantial risk. Patch adoption should be accelerated to reduce the window of exposure before attackers weaponize the flaw at scale.
Risk score, explained
The CVSS 3.1 score of 7.8 (HIGH) reflects high impact across confidentiality, integrity, and availability, combined with local attack vector and required user interaction. The score appropriately captures the severity of arbitrary code execution but is tempered by the need for a user to open a malicious file. This scoring aligns with the real-world threat model where phishing or social engineering must precede successful exploitation, yet the end result—full code execution in user context—is catastrophic.
Frequently asked questions
Can the vulnerability be exploited remotely without user interaction?
No. The vulnerability requires a victim to actively open a malicious file. However, remote delivery of that file via email phishing, compromised websites, or file-sharing services is straightforward, making the attack surface practical for threat actors.
Does patching Reader on one machine protect my organization?
Individual machine patching is necessary but not sufficient. You must identify and patch all instances of vulnerable Reader versions across your organization, including desktops, laptops, and any shared systems. Inventory your deployment, prioritize high-risk users (those who handle external documents), and enforce a patch management timeline.
What file types can trigger this vulnerability?
The vulnerability exists in Reader's file processing logic, so any document format that Reader can open—including PDF, PostScript, and related formats—could be weaponized. Do not assume that file extension filtering alone will block attacks.
Is there a temporary mitigation if I cannot patch immediately?
Yes. Disable automatic file opening in your browser, avoid opening unexpected attachments, restrict Reader's permissions via application sandboxing or AppLocker policies, and educate users on phishing indicators. These measures reduce but do not eliminate risk; patching remains the definitive remediation.
This analysis is based on information available as of the published and modified dates provided. Specific patch version numbers, exploitation status, and vendor timelines should be verified directly with Adobe's official security advisories and product documentation. This explainer is for informational purposes and does not constitute legal, compliance, or specific security advice. Organizations should assess this vulnerability in the context of their specific environment, risk tolerance, and asset inventory before determining remediation timelines. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-34700HIGHInDesign Out-of-Bounds Write Remote Code Execution
- CVE-2026-34706HIGHAdobe InCopy Out-of-Bounds Write Vulnerability (CVSS 7.8 HIGH)
- CVE-2026-48293HIGHAdobe InDesign Out-of-Bounds Write Vulnerability (CVSS 7.8)
- CVE-2026-10883HIGHType Confusion in Chrome ANGLE Graphics Library
- CVE-2026-10897HIGHCritical Chrome GPU Sandbox Escape Vulnerability
- CVE-2026-10907HIGHChrome ANGLE Out-of-Bounds Write – Remote Code Execution Risk
- CVE-2026-10941HIGHSkia Out-of-Bounds Memory Vulnerability in Chrome – Urgent Patch Required
- CVE-2026-11091HIGHCritical Chrome Memory Corruption Vulnerability in Dawn Graphics Engine