CVE-2026-47917: Acrobat Reader Use-After-Free RCE Vulnerability
Adobe Acrobat Reader contains a use-after-free memory defect that allows attackers to execute code with the same privileges as the user running the application. The vulnerability exists in versions 24.001.30365, 26.001.21651 and earlier on Windows and macOS systems. An attacker must trick a user into opening a specially crafted file to trigger the flaw, making this a file-based attack vector rather than a remote network vulnerability.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 5 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This use-after-free vulnerability (CWE-416) arises when Acrobat Reader fails to properly manage memory references during document processing. After a memory object is freed, the application may attempt to access it again through a dangling pointer, allowing an attacker to corrupt the heap and redirect execution flow. The attack requires local file access and user interaction—the victim must open the malicious document. The vulnerability affects both Acrobat Reader DC and the broader Acrobat product line on Windows and macOS platforms.
Business impact
Exploitation could result in complete compromise of user systems and data within the affected user context. For enterprises where users regularly handle PDF documents from external sources—vendors, partners, customers—this represents a material risk vector. Attackers could gain access to sensitive documents, credentials, or use the compromised system as an entry point for lateral movement. Organizations relying on Acrobat for secure document workflows face potential data exfiltration and intellectual property theft.
Affected systems
Adobe Acrobat Reader DC (versions 24.001.30365 and earlier, and 26.001.21651 and earlier), Adobe Acrobat DC, and the broader Adobe Acrobat product line running on Windows and macOS systems. Organizations using older versions or maintaining version pinning policies should audit their deployment landscape immediately.
Exploitability
Exploitation is feasible but requires user interaction—a victim must explicitly open a malicious PDF file. There is no remote code execution pathway and no authentication bypass; the attack surface is fundamentally limited to users who can be socially engineered into opening untrusted documents. However, the prevalence of PDF attachments in phishing campaigns and the trust users place in PDF files make this a practical attack vector. This vulnerability is not currently tracked on the CISA Known Exploited Vulnerabilities catalog as of the last update.
Remediation
Adobe has released patches addressing this vulnerability. Affected users should upgrade to versions later than 24.001.30365 for the 24.x branch and later than 26.001.21651 for the 26.x branch. Verify the exact patched version numbers against the official Adobe security advisory. Organizations should prioritize patching for users who handle external or untrusted documents, and consider implementing application control policies to restrict Acrobat execution in high-risk scenarios.
Patch guidance
Check Adobe's official security bulletin for the specific patched versions for your Acrobat branch. The vulnerability affects version 24.001.30365 and earlier, and 26.001.21651 and earlier, so any version released after those branches should contain the fix. Deploy patches through your standard patch management process, prioritizing endpoints where users receive external documents. Test patches in a non-production environment first to ensure compatibility with any custom PDF workflows or plugins.
Detection guidance
Monitor for unusual Acrobat Reader process behavior, including unexpected child processes, network connections, or file system modifications initiated by the application. Implement file-based detection by scanning incoming PDF attachments for suspicious characteristics or known malicious signatures if your email gateway supports deep inspection. Endpoint detection and response (EDR) solutions should flag heap corruption attempts or memory access violations originating from Acrobat processes. Consider blocking macros and active content in PDFs at the gateway level as a defense-in-depth measure.
Why prioritize this
With a CVSS score of 7.8 (HIGH severity), this vulnerability combines high confidentiality, integrity, and availability impact with low attack complexity. While user interaction is required, the ubiquity of Acrobat in enterprise environments and the ease with which PDFs can be weaponized in phishing campaigns make this a material near-term risk. The absence of CISA KEV listing should not diminish internal prioritization; active remediation should begin within the standard patch cycle for high-severity issues.
Risk score, explained
The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) reflects a local attack requiring minimal complexity but necessitating user interaction. The HIGH severity rating accounts for complete compromise of confidentiality, integrity, and availability within the user's security context. The attack vector is local (not network-based), reducing breadth of attack surface, but the combination of high impact and low complexity justifies urgent patching.
Frequently asked questions
Can this vulnerability be exploited over the network or through email attachments?
The vulnerability is not remotely exploitable and does not execute automatically. A user must open the malicious file. However, it can certainly be delivered via email attachment, making phishing a practical delivery mechanism. Email filtering should focus on blocking suspicious PDFs or restricting Acrobat's ability to execute content without user consent.
Do older versions of Acrobat Reader (pre-version 24) require patching?
The vulnerability advisory specifies versions 24.001.30365 and earlier, and 26.001.21651 and earlier. If you operate versions outside these branches, consult the official Adobe security bulletin to confirm whether your specific version is affected. Do not assume older versions are safe without explicit confirmation.
What should we do if we can't patch immediately?
Implement compensating controls: restrict Acrobat's execution via application allowlisting, disable active content and JavaScript in PDFs, enforce email gateway inspection of PDF attachments, and educate users to avoid opening unsolicited PDFs. These measures reduce but do not eliminate risk; patching remains the definitive remediation.
Is this vulnerability being exploited in the wild?
As of the publication date, this vulnerability is not listed on the CISA Known Exploited Vulnerabilities catalog, suggesting limited or no observed active exploitation at scale. However, the absence of public exploitation does not mean development of working attacks is impossible, and motivated adversaries may create targeted exploits. Treat this as an urgent but not emergency-level issue unless your organization receives direct intelligence of attacks.
This analysis is based on information available as of June 2026 and reflects the vulnerability's status at that time. Patch version numbers and availability should be verified directly against Adobe's official security advisory. CVSS scores and severity ratings are derived from the official CVE entry and may be updated by NIST or Adobe. This explainer provides general guidance; organizations should conduct their own risk assessment based on their specific Acrobat deployment, user workflows, and threat landscape. No exploit code or weaponized proof-of-concept is provided. SEC.co recommends consulting with your security team and Adobe support for environment-specific questions. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-34696HIGHAdobe InDesign Use After Free Remote Code Execution Vulnerability
- CVE-2026-47912HIGHAdobe Acrobat Reader Use-After-Free Remote Code Execution
- CVE-2026-47913HIGHAcrobat Reader Use-After-Free Code Execution Vulnerability
- CVE-2026-47914HIGHAcrobat Reader Use-After-Free Code Execution Vulnerability
- CVE-2026-47915HIGHAdobe Acrobat Reader Use-After-Free Code Execution Vulnerability
- CVE-2026-47916HIGHAdobe Acrobat Reader Use-After-Free Vulnerability (7.8 HIGH)
- CVE-2026-47918HIGHAcrobat Reader Use-After-Free Remote Code Execution Vulnerability
- CVE-2026-47919HIGHAdobe Acrobat Reader Use-After-Free Code Execution Vulnerability