CVE-2026-47916: Adobe Acrobat Reader Use-After-Free Vulnerability (7.8 HIGH)
Adobe Acrobat Reader contains a use-after-free memory defect that attackers can exploit to run arbitrary code with the same privileges as the user opening the file. The vulnerability affects multiple Acrobat Reader versions and requires an attacker to trick a user into opening a specially crafted malicious PDF or document. While the technical barrier to triggering the flaw is low, successful exploitation still depends on user action—someone must be convinced to open the dangerous file.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 5 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-47916 is a use-after-free vulnerability (CWE-416) in Adobe Acrobat Reader that permits arbitrary code execution in the context of the current user. The vulnerability exists in Acrobat Reader versions 24.001.30365, 26.001.21651, and earlier across Windows and macOS platforms. The attack surface is local; the memory safety issue is triggered when a user opens a malicious file. The CVSS 3.1 score of 7.8 (HIGH) reflects high impact across confidentiality, integrity, and availability, with low attack complexity and no privilege escalation requirement.
Business impact
Compromise of Acrobat Reader can lead to full system takeover by an attacker with the same user privileges. For organizations where PDF processing is routine—legal, financial, healthcare, and engineering sectors—this creates direct risk of data theft, ransomware installation, or lateral movement within the network. Supply chain attacks via malicious PDFs sent to employees, partners, or customers are feasible. The requirement for user interaction does not eliminate risk; it shifts it to social engineering, which remains an effective attack vector.
Affected systems
Adobe Acrobat Reader DC and Adobe Acrobat on Windows and macOS systems running versions 24.001.30365, 26.001.21651, or earlier are vulnerable. Verify exact vulnerable ranges and patch availability against Adobe's security advisory. Users of other PDF readers are not directly affected by this specific flaw, but Acrobat remains widespread in enterprise and consumer environments.
Exploitability
Exploitation requires a user to open a malicious file; no network access, authentication, or special privileges are needed from the attacker's perspective. Attack complexity is low. The barrier to weaponizing this vulnerability is moderate—an attacker must craft a file that triggers the use-after-free condition—but distribution via email, document collaboration platforms, or web downloads is straightforward. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, but this does not guarantee exploit code does not exist in private use.
Remediation
Update Adobe Acrobat Reader and Acrobat to versions newer than 24.001.30365 and 26.001.21651 respectively. Consult Adobe's official security advisory to confirm the patched version numbers for your deployment. Until patches are applied, restrict the opening of unsolicited PDF files from untrusted sources and consider disabling PDF preview in email clients.
Patch guidance
Adobe has released patches to address this vulnerability. Confirm the patched version numbers from Adobe's official security advisory corresponding to your currently deployed version. Test patches in a non-production environment before broad rollout to ensure compatibility with internal document workflows and integrations. Prioritize systems used by high-risk roles (finance, legal, executive) who are frequent targets for spear-phishing with malicious attachments. Acrobat Reader auto-update should be enabled; verify it is active in your environment.
Detection guidance
Monitor for unexpected child processes spawned by AcroRd32.exe or Acrobat.exe, unusual network connections initiated from these processes, and suspicious file modifications following PDF opening events. Endpoint detection and response (EDR) tools should flag use-after-free exploitation attempts through memory access violations and heap corruption signals. Review email gateway logs for PDFs from external senders opened by users. Consider blocking execution of PDFs from untrusted zones via Windows Defender Application Guard or similar sandboxing. Log and alert on attempts to disable Acrobat Reader's auto-update feature.
Why prioritize this
HIGH severity, local attack surface, and widespread use of Acrobat Reader in enterprise environments make this a priority for patching. The requirement for user interaction is the main limiting factor, but social engineering remains reliable. Organizations handling sensitive documents should treat this as urgent. The lack of KEV designation does not diminish risk; it reflects current exploitation status, not vulnerability severity.
Risk score, explained
CVSS 3.1 score of 7.8 (HIGH) is driven by high impact on all three pillars—confidentiality, integrity, and availability—combined with low attack complexity and no privilege escalation requirement. The user interaction requirement reduces the overall score from critical, but the consequences of successful exploitation (arbitrary code execution as the user) are severe. For organizations where Acrobat is mission-critical, this score should be treated as a lower bound; business context may elevate local risk.
Frequently asked questions
Does this affect all Acrobat Reader versions?
No. The vulnerability exists in version 24.001.30365, 26.001.21651, and earlier. Newer patched versions are not affected. Verify your current version in Acrobat Reader's Help menu and compare it against Adobe's official advisory.
What if we disable opening PDFs from email?
That is a strong mitigation while patches are pending. However, users may still receive PDFs through collaboration platforms, web browsers, or USB drives. Patching is the definitive fix. Use email restrictions as a temporary layered defense.
Can sandboxing Acrobat Reader prevent exploitation?
Sandboxing (e.g., Windows Defender Application Guard or third-party tools) can contain the damage if exploitation occurs, limiting the attacker's access to the broader system. However, it is not a substitute for patching, because the attacker can still steal files or data within the sandbox scope.
Is there a workaround if we cannot patch immediately?
No complete workaround exists. Mitigation steps include disabling auto-opening of PDFs, blocking PDFs from external email, educating users on suspicious attachments, and deploying EDR to detect exploitation attempts. These reduce risk but do not eliminate it. Patching should remain the priority.
This analysis is based on the vulnerability information and CVSS vector published as of the modification date. Exploit code availability, active exploitation, and patch release timelines may change. Organizations should verify all patch version numbers and compatibility against Adobe's official security advisory before deployment. This explainer does not constitute legal or compliance advice; consult your security and legal teams regarding disclosure obligations and incident response procedures. SEC.co and its analysts assume no liability for actions taken in reliance on this analysis. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-34696HIGHAdobe InDesign Use After Free Remote Code Execution Vulnerability
- CVE-2026-47912HIGHAdobe Acrobat Reader Use-After-Free Remote Code Execution
- CVE-2026-47913HIGHAcrobat Reader Use-After-Free Code Execution Vulnerability
- CVE-2026-47914HIGHAcrobat Reader Use-After-Free Code Execution Vulnerability
- CVE-2026-47915HIGHAdobe Acrobat Reader Use-After-Free Code Execution Vulnerability
- CVE-2026-47917HIGHAcrobat Reader Use-After-Free RCE Vulnerability
- CVE-2026-47918HIGHAcrobat Reader Use-After-Free Remote Code Execution Vulnerability
- CVE-2026-47919HIGHAdobe Acrobat Reader Use-After-Free Code Execution Vulnerability