CVE-2026-47914: Acrobat Reader Use-After-Free Code Execution Vulnerability
Adobe Acrobat Reader contains a use-after-free memory safety bug that allows attackers to execute arbitrary code on a victim's system. The vulnerability is triggered when a user opens a specially crafted PDF file, making it a file-based attack that relies entirely on social engineering or misdirection to succeed. Versions 24.001.30365, 26.001.21651, and earlier are vulnerable. Once exploited, an attacker gains the same privileges as the logged-in user, potentially enabling data theft, malware installation, or lateral movement within a network.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 5 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-47914 is a use-after-free vulnerability (CWE-416) in Adobe Acrobat Reader that arises from improper memory management during PDF processing. When Acrobat Reader processes a malicious PDF, a memory object is freed but subsequently referenced by another part of the application, allowing an attacker to manipulate that freed memory region and achieve code execution. The vulnerability affects versions 24.001.30365, 26.001.21651, and earlier across Windows and macOS platforms. Exploitation requires a victim to open the crafted PDF file, meaning the attack surface is limited to user interaction scenarios rather than remote network exposure.
Business impact
Organizations face moderate-to-significant operational risk from this vulnerability. Desktop environments where Acrobat Reader is widely deployed—such as legal firms, financial services, insurance, and government agencies—are particularly exposed given their reliance on PDF document processing. Targeted attacks could lead to credential harvesting, intellectual property theft, or deployment of persistent malware. The user-interaction requirement somewhat limits the scale of opportunistic attacks, but sophisticated adversaries could combine this exploit with social engineering, spear-phishing campaigns, or watering-hole attacks to compromise high-value targets. Business continuity is at risk if critical workflows depend on Acrobat Reader and must be temporarily suspended pending patching.
Affected systems
Adobe Acrobat Reader versions 24.001.30365, 26.001.21651, and all earlier versions running on Windows and macOS are affected. The vulnerability does not appear to extend to browser-based PDF viewers or other third-party PDF applications, limiting exposure to environments where native Acrobat Reader is installed and actively used. Organizations should inventory Acrobat Reader deployments across their estate to assess scope.
Exploitability
Exploitation difficulty is moderate. While the technical barrier to triggering the memory corruption is relatively low—an attacker simply needs to craft a malicious PDF—the requirement for user interaction (opening the file) is a meaningful obstacle. Adversaries must either trick a user into opening a suspicious attachment or place the file in a location where a user might reasonably open it. The vulnerability is not yet tracked in the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting either no public weaponized proof-of-concept exists or active exploitation has not yet been observed at scale. However, the straightforward nature of the vulnerability means that exploit code could be developed relatively quickly by determined threat actors.
Remediation
Adobe has released patched versions that address this use-after-free condition. Organizations should apply the latest Acrobat Reader updates immediately to versions newer than 24.001.30365 and 26.001.21651, depending on which branch they are running. Verify patch availability against the official Adobe security advisory to confirm exact version numbers. Until patching is complete, risk can be reduced by disabling Acrobat Reader as the default PDF handler and switching to alternative PDF viewers (such as Windows' native PDF reader or third-party alternatives) that are not affected by this specific vulnerability.
Patch guidance
Consult the official Adobe security advisory for exact patched version numbers applicable to your deployment. Patches are typically available through Adobe's update mechanism within Acrobat Reader itself (Help > Check for Updates) or through the Adobe Download Center. Test patches in a non-production environment first, particularly in organizations with custom PDF workflows or plugins that may interact with Acrobat Reader. Prioritize patching systems used by staff who handle sensitive external documents, such as legal, compliance, or finance teams. For managed environments, deploy patches through centralized update management tools (WSUS, JAMF, etc.) to ensure consistent coverage.
Detection guidance
Monitor for abnormal Acrobat Reader process behavior, including unexpected child process creation, registry modifications, or network connections initiated by AcroRd32.exe or RdrCEF.exe. Endpoint detection and response (EDR) solutions should flag use-after-free exploitation attempts through memory corruption indicators or heap spray patterns. Network-based detection is limited since the attack requires local file opening; however, organizations can monitor for suspicious PDF attachments arriving via email and web downloads, particularly those lacking legitimate provenance. Logging PDF file accesses and monitoring for crashes or unexpected terminations of Acrobat Reader may indicate failed or successful exploitation attempts.
Why prioritize this
This vulnerability merits immediate attention despite not yet appearing in active exploitation catalogs. The high CVSS score (7.8) reflects significant impact potential—arbitrary code execution with full user privileges. While the user-interaction requirement provides some friction, Acrobat Reader's ubiquity in business environments and the relative ease of crafting a malicious PDF combine to create a credible risk. Organizations processing external PDFs regularly (legal, finance, HR, procurement) face elevated exposure and should prioritize patching. Delaying remediation risks opportunistic or targeted attacks as public awareness of the vulnerability spreads.
Risk score, explained
The CVSS 3.1 score of 7.8 (HIGH) reflects a local attack vector (AV:L), low attack complexity (AC:L), no privilege requirement (PR:N), and requirement for user interaction (UI:R). The impact metrics are all high: confidentiality, integrity, and availability are all compromisable through arbitrary code execution. The user-interaction and local-only nature prevent a 'Critical' rating, but the direct path to code execution and the widespread deployment of Acrobat Reader ensure material risk to most organizations.
Frequently asked questions
Does this vulnerability affect Adobe Acrobat (the authoring tool) or only Acrobat Reader?
The vulnerability affects both Adobe Acrobat and Adobe Acrobat Reader according to the vendor advisory data. Both products contain the same use-after-free defect. If your organization uses Acrobat for document creation and editing, you should patch those installations as well.
Can this vulnerability be exploited remotely over the network?
No. The attack vector is local, meaning the attacker must convince a user to open a malicious PDF file on their system. The vulnerability cannot be triggered by merely viewing a file over a network share or email preview pane; the file must be actively opened in Acrobat Reader.
Is there a workaround if we cannot patch immediately?
Yes, as an interim measure, switch the default PDF handler to an alternative viewer (such as Windows' native PDF reader, Edge browser, or a third-party PDF application) so that suspicious PDFs do not automatically open in Acrobat Reader. Additionally, restrict Acrobat Reader usage through endpoint controls and user training. However, this is a temporary measure only—patching is the definitive remediation.
Why is this not yet on the CISA KEV list if it is so serious?
The CISA KEV catalog tracks vulnerabilities demonstrably exploited in the wild by adversaries. The absence of a vulnerability from KEV does not indicate low risk; it simply means no confirmed active exploitation has been reported to federal agencies yet. Threat actors may be silently exploiting the flaw, or they may be preparing exploits for targeted campaigns. Do not interpret the lack of KEV status as a reason to delay patching.
This analysis is provided for informational purposes and should not substitute for official vendor guidance or your organization's own security assessment. Patch version numbers and exact affected product versions should be verified against the official Adobe security advisory. Organizations should conduct their own risk assessment and testing before deploying patches in production environments. SEC.co does not warrant the completeness or accuracy of third-party vulnerability data and recommends consulting primary sources (CVE.org, Adobe Security Bulletins) for authoritative details. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-34696HIGHAdobe InDesign Use After Free Remote Code Execution Vulnerability
- CVE-2026-47912HIGHAdobe Acrobat Reader Use-After-Free Remote Code Execution
- CVE-2026-47913HIGHAcrobat Reader Use-After-Free Code Execution Vulnerability
- CVE-2026-47915HIGHAdobe Acrobat Reader Use-After-Free Code Execution Vulnerability
- CVE-2026-47916HIGHAdobe Acrobat Reader Use-After-Free Vulnerability (7.8 HIGH)
- CVE-2026-47917HIGHAcrobat Reader Use-After-Free RCE Vulnerability
- CVE-2026-47918HIGHAcrobat Reader Use-After-Free Remote Code Execution Vulnerability
- CVE-2026-47919HIGHAdobe Acrobat Reader Use-After-Free Code Execution Vulnerability