CVE-2026-47915: Adobe Acrobat Reader Use-After-Free Code Execution Vulnerability
Adobe Acrobat Reader contains a use-after-free memory vulnerability that allows attackers to execute arbitrary code with the privileges of the user running the application. The flaw affects Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier on Windows and macOS. An attacker must trick a user into opening a specially crafted malicious document for the vulnerability to be exploited. Once triggered, the attacker gains full control over the affected system, potentially allowing data theft, system compromise, or lateral movement within your network.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 5 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-47915 is a use-after-free vulnerability (CWE-416) in Adobe's PDF reader software. Use-after-free flaws occur when an application references memory that has already been freed, allowing an attacker to control that memory region and execute arbitrary code. In this case, the vulnerability exists in Acrobat Reader versions up to 24.001.30365 (2024 release) and 26.001.21651 (2026 release). The vulnerability requires user interaction—specifically opening a malicious PDF document—which serves as the attack vector. Once exploited, the attacker's code runs in the security context of the current user, bypassing the application sandbox and potentially accessing sensitive files and system resources.
Business impact
This vulnerability poses significant risk to any organization where employees regularly use Adobe Acrobat Reader to view PDF documents. The business impact includes: potential theft of sensitive data embedded in PDFs or accessible through the compromised user's account; lateral movement into corporate networks if the affected machine is connected to internal systems; system availability disruption if malware is deployed; compliance violations if customer or regulated data is accessed; and remediation costs including forensic investigation, system reimaging, and potential incident response. The threat is elevated because PDFs are ubiquitous in business communication, making social engineering attacks particularly effective. Adversaries could distribute malicious PDFs via email, file-sharing platforms, or watering-hole attacks.
Affected systems
The vulnerability affects Adobe Acrobat and Acrobat Reader DC on both Windows and macOS platforms. Specifically impacted are Acrobat Reader versions 24.001.30365 and earlier, as well as version 26.001.21651 and earlier. This includes both the standalone Acrobat Reader application and Acrobat DC suite installations. The cross-platform nature of the vulnerability means that Windows and macOS users are equally exposed. Browser-integrated PDF viewers relying on these vulnerable libraries may also be affected, depending on deployment configuration.
Exploitability
Exploitability is moderate-to-high due to the requirement for user interaction. An attacker cannot remotely exploit the vulnerability without the victim's involvement; however, social engineering techniques make this a practical attack vector. Adversaries can craft a malicious PDF that appears innocuous (e.g., disguised as an invoice, contract, or notification) and distribute it via email or file-sharing services. Users accustomed to opening PDFs without suspicion are likely targets. The vulnerability does not require special privileges or complex exploitation steps—opening the file in a vulnerable version of Acrobat Reader triggers the memory corruption. The high CVSS score (7.8) reflects the severity of potential code execution once the barrier of user interaction is overcome.
Remediation
The primary remediation is to update Adobe Acrobat and Acrobat Reader to patched versions beyond those listed as vulnerable. Adobe typically releases patches through its standard update channels. Verify the exact patched version numbers against the official Adobe security advisory. In the interim, consider these mitigations: restrict PDF opening to trusted, internal sources; deploy application sandboxing or isolation technology to limit the impact of potential code execution; monitor file attachment policies to block suspicious PDFs; educate users about the risks of opening unexpected PDF attachments; and consider using alternative PDF viewers for non-critical documents if they are kept current with security patches.
Patch guidance
Update Adobe Acrobat Reader and Acrobat DC to versions later than 24.001.30365 (for the 2024 release line) and later than 26.001.21651 (for the 2026 release line). Adobe's automatic update feature should deliver patched versions; however, verify through Help > About Adobe Acrobat Reader to confirm your installed version number. Patches are typically released through Adobe's standard security update cycle. Consult the official Adobe security advisory for the exact patched version numbers for your release channel (continuous, classic, or institutional). Organizations should validate patch deployment across all endpoints before marking the vulnerability as remediated. Consider prioritizing systems used by high-value targets (executives, finance, legal teams) who are more likely to receive sophisticated phishing with malicious PDFs.
Detection guidance
Detection strategies include: monitoring for suspicious PDF files distributed via email or file shares using file scanning and content inspection; observing unusual process spawning from Acrobat Reader (e.g., cmd.exe, PowerShell, or system utilities) which may indicate post-exploitation activity; reviewing Acrobat Reader crash logs and memory protection violations; auditing application inventory to identify systems running vulnerable versions; analyzing network traffic for data exfiltration patterns following suspicious PDF opens; and reviewing endpoint detection and response (EDR) telemetry for anomalous behavior correlating with PDF document access. Malicious PDFs may contain suspicious embedded objects, JavaScript, or launch commands; advanced threat detection tools can flag these characteristics.
Why prioritize this
This vulnerability merits high priority remediation due to the combination of: severe impact (arbitrary code execution with user-context privileges); widespread applicability (Acrobat Reader is ubiquitous in business environments); moderate exploitability (requires user interaction but social engineering is practical); and cross-platform exposure (Windows and macOS). The use-after-free class of vulnerability is often difficult to patch completely without regression, and adversaries actively develop exploits for memory corruption flaws. Organizations should treat this as a critical update target and prioritize patching within days rather than weeks.
Risk score, explained
The CVSS 3.1 score of 7.8 (HIGH) reflects: Local attack vector (AV:L) because the malicious file must be opened locally; low attack complexity (AC:L) meaning no special conditions are required beyond file opening; no privilege escalation required (PR:N); required user interaction (UI:R) to open the document; unchanged scope (S:U) in that privileges are not escalated to system level; and high impact across confidentiality, integrity, and availability (C:H, I:H, A:H). The score appropriately captures the threat: while user interaction is required, the resulting code execution is unrestricted and could lead to complete system compromise.
Frequently asked questions
Can Acrobat Reader be exploited if I don't open the malicious PDF?
No. The vulnerability requires user interaction—specifically opening the malicious PDF file in a vulnerable version of Acrobat Reader. Simply receiving the file via email or viewing it in a preview pane (depending on the preview engine) does not trigger exploitation. However, do not open unexpected or suspicious PDF attachments, especially from unknown senders.
Does this vulnerability affect web browsers' built-in PDF viewers?
Built-in browser PDF viewers (such as Chrome's or Firefox's native PDF.js) are generally not affected by this Acrobat Reader vulnerability. However, if a user explicitly opens a PDF in standalone Adobe Acrobat Reader instead of the browser viewer, the vulnerability applies. Some enterprise configurations may default to Acrobat Reader for PDF handling; verify your organization's PDF handling policy.
What should I do if I've already opened a suspicious PDF?
Immediately disconnect the affected machine from the network and report it to your security team for forensic analysis. Do not use the system until it has been validated by your incident response team. Check for signs of compromise such as unauthorized file access, unexpected processes, or lateral movement attempts. Consider the data accessible from that user account and initiate appropriate notification or investigation procedures if data was likely exposed.
Are there workarounds if I cannot update immediately?
Yes, interim mitigations include: disabling JavaScript in Acrobat Reader (Edit > Preferences > Security > General); using alternative PDF readers such as Sumatra PDF or web-based viewers for non-critical documents; configuring endpoint controls to restrict Acrobat Reader execution; and strictly enforcing a policy against opening unexpected PDF attachments. These are temporary measures pending patching.
This analysis is based on publicly available information current as of the publication date. Patch version numbers and remediation steps should be verified against the official Adobe security advisory before deployment. Organizations should conduct their own risk assessment and testing in their environment. This document is for informational purposes and does not constitute legal or compliance advice. Consult your organization's security and legal teams for guidance specific to your regulatory requirements and threat landscape. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-34696HIGHAdobe InDesign Use After Free Remote Code Execution Vulnerability
- CVE-2026-47912HIGHAdobe Acrobat Reader Use-After-Free Remote Code Execution
- CVE-2026-47913HIGHAcrobat Reader Use-After-Free Code Execution Vulnerability
- CVE-2026-47914HIGHAcrobat Reader Use-After-Free Code Execution Vulnerability
- CVE-2026-47916HIGHAdobe Acrobat Reader Use-After-Free Vulnerability (7.8 HIGH)
- CVE-2026-47917HIGHAcrobat Reader Use-After-Free RCE Vulnerability
- CVE-2026-47918HIGHAcrobat Reader Use-After-Free Remote Code Execution Vulnerability
- CVE-2026-47919HIGHAdobe Acrobat Reader Use-After-Free Code Execution Vulnerability