CVE-2026-47913: Acrobat Reader Use-After-Free Code Execution Vulnerability
Adobe Acrobat Reader contains a use-after-free memory flaw that allows an attacker to execute arbitrary code if a user opens a specially crafted PDF file. The vulnerability affects Acrobat Reader version 24.001.30365, 26.001.21651 and earlier on both Windows and macOS. Because exploitation requires the victim to manually open a malicious document, this is not a wormable vulnerability, but it represents a meaningful risk in environments where users regularly receive files from untrusted sources.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 5 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability is classified as a Use After Free (CWE-416) with a CVSS v3.1 score of 7.8 (HIGH). The flaw allows an attacker to trigger code execution through memory corruption when a crafted PDF file is processed by the vulnerable Acrobat Reader versions. The attack vector is local (AV:L), requires no privileges (PR:N), and depends on user interaction (UI:R). The impact is complete—the attacker can achieve confidentiality, integrity, and availability compromise in the context of the user running Acrobat Reader.
Business impact
Organizations relying on Acrobat Reader for document workflows face risk of endpoint compromise via supply-chain document delivery, social engineering attacks, or internal file sharing. A successful exploit grants the attacker the same access level as the user, potentially enabling lateral movement, data theft, or installation of persistence mechanisms. This is especially concerning for knowledge workers, legal professionals, and financial teams who regularly handle PDF documents from external parties.
Affected systems
Adobe Acrobat Reader versions 24.001.30365 and earlier, and 26.001.21651 and earlier are affected on both Windows and macOS platforms. Organizations should verify their current Acrobat Reader versions across their deployed fleet, including both perpetual and subscription-based deployments.
Exploitability
While no public exploit or KEV listing exists at this time, the vulnerability's reliance on user interaction—opening a malicious PDF—is a standard attack vector already well-established in the threat landscape. The barrier to exploitation is low; an attacker merely needs to craft a malicious PDF and deliver it through email, file sharing, or document repositories. Given Acrobat Reader's ubiquity and users' tendency to trust PDF files, this vulnerability is highly likely to be weaponized once patches are widely deployed.
Remediation
Apply the latest patched versions of Acrobat Reader released by Adobe. Verify against the official Adobe security advisory for exact version numbers and any platform-specific guidance. Until patching is complete, users should avoid opening PDF files from untrusted or unexpected sources, and organizations can consider restricting PDF opening to sandboxed environments or read-only viewers where feasible.
Patch guidance
Check Adobe's official security advisory to identify the specific patched versions for your platform and Acrobat variant (Reader, Acrobat Pro, etc.). Deploy patches through your standard software update mechanism, ensuring coverage across all endpoints where Acrobat Reader is installed. Test patches in a controlled environment before broad rollout to confirm compatibility with critical workflows. Prioritize user-facing systems and shared document repositories.
Detection guidance
Monitor for suspicious PDF file creation or modification in email attachments and shared drives. Observe for unexpected Acrobat Reader process behavior, including child process creation, network connections, or memory anomalies. Endpoint detection and response (EDR) tools should flag use-after-free exploitation patterns. Log file access attempts to PDF files that trigger unusual memory operations. Correlation of PDF opens with system crashes or privilege elevation attempts may indicate exploitation attempts.
Why prioritize this
This vulnerability merits urgent patching due to its HIGH CVSS score, achievable code execution impact, and low exploitation barriers. Acrobat Reader's prevalence in business environments combined with the commonplace nature of PDF-based social engineering makes this a prime target for both targeted and opportunistic attacks. Although KEV listing is not yet active, the attack surface is large and the user interaction requirement is easily satisfied through phishing or document supply-chain compromise.
Risk score, explained
The CVSS 7.8 score reflects high severity: local attack surface, no privilege requirement, user interaction needed, and complete compromise of confidentiality, integrity, and availability. The score appropriately balances the real-world threat (malicious PDFs are trivial to distribute) against the mitigating factor of required user action. For organizations with high email traffic or document-sharing workflows, the practical risk may trend higher than the baseline CVSS suggests.
Frequently asked questions
What types of malicious PDFs should users and security teams watch for?
Malicious PDFs exploiting this flaw may appear benign or masquerade as legitimate business documents, financial statements, invoices, or contracts. There are no reliable visual indicators of a malicious PDF; the exploit is triggered during the file parsing process. User awareness training should emphasize validating the source of PDF files before opening, not the appearance of the document.
Can this vulnerability be exploited through cloud-based PDF viewers or browser integrations?
The vulnerability is specific to Adobe Acrobat Reader and Acrobat Desktop versions. Exploitation through cloud-hosted PDF viewers or browser-based renderers depends on whether those services use vulnerable Acrobat Reader components. Verify with your cloud service or browser vendor for their specific use of Adobe libraries. Some organizations mitigate risk by disabling local Acrobat Reader in favor of browser-based or third-party viewers.
What is the difference between the two affected version ranges (24.x and 26.x)?
Adobe maintains multiple update branches for Acrobat Reader. Version 24.x and 26.x represent different release tracks (likely classic and continuous, or perpetual and subscription offerings). Both are affected and should be patched independently. Verify your installed version against both ranges when planning remediation.
If we cannot patch immediately, what interim controls are most effective?
Restrict Acrobat Reader usage to isolated or sandboxed endpoints if possible. Route incoming PDF files through a gateway-based PDF analysis service. Educate users to avoid opening PDFs from unexpected sources. Consider disabling local Acrobat Reader plugins in email clients and browsers, forcing users to manually save and open files—this adds friction and increases the likelihood of detection. These interim steps are not perfect mitigations but reduce attack surface until patches are deployed.
This analysis is provided for informational purposes and reflects the vulnerability details and CVSS assessment from the published advisory as of the date noted. Remediation timelines, patch availability, and affected product coverage should be verified against current Adobe security bulletins and your specific deployment configuration. Exploit code or detailed attack techniques are not provided herein. Organizations should conduct their own risk assessment based on their unique environment, user base, and threat model. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-34696HIGHAdobe InDesign Use After Free Remote Code Execution Vulnerability
- CVE-2026-47912HIGHAdobe Acrobat Reader Use-After-Free Remote Code Execution
- CVE-2026-47914HIGHAcrobat Reader Use-After-Free Code Execution Vulnerability
- CVE-2026-47915HIGHAdobe Acrobat Reader Use-After-Free Code Execution Vulnerability
- CVE-2026-47916HIGHAdobe Acrobat Reader Use-After-Free Vulnerability (7.8 HIGH)
- CVE-2026-47917HIGHAcrobat Reader Use-After-Free RCE Vulnerability
- CVE-2026-47918HIGHAcrobat Reader Use-After-Free Remote Code Execution Vulnerability
- CVE-2026-47919HIGHAdobe Acrobat Reader Use-After-Free Code Execution Vulnerability