HIGH 7.8

CVE-2026-47912: Adobe Acrobat Reader Use-After-Free Remote Code Execution

Adobe Acrobat Reader contains a use-after-free memory vulnerability that allows an attacker to execute arbitrary code on a victim's computer with the privileges of the logged-in user. The attack requires the victim to open a specially crafted malicious PDF file. Versions 24.001.30365, 26.001.21651, and earlier on Windows and macOS are affected. This is a serious flaw because it bypasses the application's normal security controls and gives attackers direct code execution capability.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
5 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-47912 is a use-after-free vulnerability (CWE-416) in Adobe Acrobat Reader that arises when the application incorrectly manages memory—specifically, it accesses memory that has already been freed. An attacker can craft a malicious PDF document designed to trigger this condition during parsing or rendering. When a user opens the malicious file, the freed memory region can be controlled or manipulated by the attacker to redirect code execution to arbitrary payloads. The vulnerability operates in the context of the user running Acrobat Reader, meaning the attacker gains the same file access and system permissions as that user.

Business impact

This vulnerability poses a direct and significant business risk. An attacker can deliver a malicious PDF via email, file-sharing platforms, or compromised websites. Once opened, the attacker gains code execution on the victim's machine, potentially leading to data theft, lateral movement into your corporate network, installation of persistent malware, or disruption of critical workflows. Given that Acrobat Reader is ubiquitous in business environments for document processing, the attack surface is broad. Organizations that rely heavily on external PDFs—such as legal firms, financial institutions, and enterprises processing customer documents—face elevated risk.

Affected systems

Adobe Acrobat Reader versions 24.001.30365 and earlier, as well as 26.001.21651 and earlier, running on Microsoft Windows and Apple macOS are affected. Organizations should verify the exact build numbers of Acrobat Reader deployed across their environment. Note that both legacy and current major versions are in scope, so patching must address both deployment tiers.

Exploitability

The vulnerability is exploitable but requires user interaction—a victim must deliberately or unknowingly open a malicious PDF. This is a realistic attack vector in most organizations, particularly where users receive PDFs from untrusted sources, partners, or phishing campaigns. The CVSS score of 7.8 (HIGH) reflects both the severity (arbitrary code execution) and the requirement for user action, which slightly reduces the attack probability compared to a network-based, no-interaction flaw. The vulnerability is not yet listed on the CISA Known Exploited Vulnerabilities catalog, though this does not guarantee absence of exploit development in the wild.

Remediation

Organizations must prioritize patching Acrobat Reader to a version released after the vulnerability disclosure. Adobe typically releases incremental patches for both legacy and current versions. Contact Adobe directly or consult their official security advisory to identify the specific patched versions for your deployment. Implement a phased patching strategy: prioritize high-risk user groups (those handling external PDFs, such as legal, finance, and procurement teams) before rolling out to all users. For systems where immediate patching is not possible, implement application whitelisting and endpoint detection and response (EDR) tools configured to monitor for suspicious Acrobat Reader process behavior.

Patch guidance

Obtain the official patched version from Adobe's security advisory or update portal. Test patches in a non-production environment first to ensure compatibility with any custom PDF workflows or plugins your organization relies on. Acrobat Reader updates are typically cumulative and do not require uninstallation of prior versions. Verify patch deployment using asset inventory tools, and ensure both the main application and any bundled components are updated. For organizations with manual deployment processes, validate the patched version number against Adobe's published fix list. Establish a regular patching cadence for Acrobat Reader to avoid accumulating multiple critical vulnerabilities.

Detection guidance

Monitor for unusual process execution spawned from Acrobat Reader, particularly unexpected child processes or shell invocations. Network detection tools should flag suspicious outbound connections initiated by acrordrdc.exe or acrord32.exe processes. File integrity monitoring can detect unauthorized modifications to system files or registry keys. EDR and SIEM solutions should correlate Acrobat Reader crashes (a symptom of use-after-free exploitation) with subsequent suspicious activity. Behavioral analysis tools can identify attempts to allocate and control freed memory regions. Additionally, user education is critical—train staff to scrutinize unexpected PDF attachments and avoid opening PDFs from unverified sources.

Why prioritize this

This vulnerability merits immediate priority because it enables arbitrary code execution on user machines with minimal attacker effort. The high CVSS score (7.8) combined with realistic user-interaction exploitation makes this a top-tier threat, particularly in industries that process external documents. The widespread deployment of Acrobat Reader ensures a large potential victim pool. While not yet publicly exploited according to CISA, the technical simplicity of use-after-free exploitation means weaponized proof-of-concepts are likely to emerge quickly. Organizations should patch this vulnerability within days, not weeks.

Risk score, explained

The CVSS 3.1 score of 7.8 reflects: (1) Local attack vector—the attacker must deliver a file to the victim's machine; (2) Low attack complexity—crafting a malicious PDF does not require special conditions or bypassing robust mitigations; (3) No privileges required—the attacker does not need existing access; (4) User interaction required—the victim must open the file; (5) Unchanged scope—the vulnerability is confined to the Acrobat process; (6) High confidentiality, integrity, and availability impact—arbitrary code execution grants full control to the attacker. The 'HIGH' severity band reflects that this is a serious, exploitable flaw despite the user-interaction requirement.

Frequently asked questions

Does this vulnerability affect Adobe Acrobat Pro, or only the Reader version?

The vulnerability affects Adobe Acrobat Reader. If your organization uses Adobe Acrobat Pro (the full authoring suite), verify the version against Adobe's advisory, as Pro and Reader share underlying code libraries. Consult Adobe's official security documentation to determine which Pro versions are impacted.

Can we mitigate this risk without patching immediately?

Complete mitigation requires a patch. Interim controls include: disabling Acrobat Reader as the default PDF handler and using an alternative PDF viewer for untrusted files; blocking PDF attachments at the email gateway; implementing application whitelisting to restrict Acrobat execution; and enabling EDR monitoring for suspicious Acrobat behavior. These measures reduce but do not eliminate risk.

What is the difference between versions 24.001.30365 and 26.001.21651?

These represent different major release branches of Acrobat Reader (version 24 and version 26, respectively). Adobe supports multiple concurrent versions to maintain backward compatibility and allow enterprises time to test updates. Both branches are affected and both require patching. Your organization's patch strategy should address whichever versions are deployed.

How long do we have before this is actively exploited?

The vulnerability is currently not on CISA's KEV catalog, suggesting no widespread public exploitation at the time of publication. However, use-after-free vulnerabilities are well-understood, and exploit development typically occurs within days to weeks of disclosure. We recommend patching within 3-5 business days rather than waiting for evidence of active exploitation.

This analysis is provided for informational purposes and reflects the state of vulnerability intelligence as of the publication date. Security landscape, patch availability, and exploit status may evolve. Organizations must verify all patch versions, compatibility, and deployment procedures against official Adobe security advisories and their own system configurations. SEC.co does not assume liability for incomplete patching, misapplication of guidance, or third-party tool failures. Always test patches in non-production environments before wide deployment. For the most current information, consult Adobe's official security bulletin and your vendor's guidance. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).