CVE-2026-47918: Acrobat Reader Use-After-Free Remote Code Execution Vulnerability
Adobe Acrobat Reader contains a use-after-free vulnerability that allows attackers to execute arbitrary code on affected systems. The flaw requires a victim to open a malicious PDF or similar file, at which point the attacker's code runs with the same permissions as the user. Versions 24.001.30365, 26.001.21651, and earlier on Windows and macOS are vulnerable. This is a high-severity issue that should be prioritized for patching.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 5 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-47918 is a use-after-free vulnerability (CWE-416) in Adobe Acrobat Reader that permits remote code execution in the security context of the current user. The flaw arises from improper memory management—specifically, the application attempts to access memory that has already been freed, allowing an attacker to manipulate that freed memory region to execute arbitrary instructions. Exploitation requires user interaction; the victim must open a crafted malicious file. The CVSS v3.1 score is 7.8 (HIGH), reflecting high impact across confidentiality, integrity, and availability with local attack vector and no privilege escalation required.
Business impact
Successful exploitation enables complete compromise of user data and system integrity on affected workstations. Attackers can steal sensitive documents, install persistent malware, or pivot to internal networks. Organizations relying on Acrobat Reader for document handling—particularly those processing untrusted external PDFs—face elevated risk. The user-interaction requirement means phishing campaigns distributing malicious documents are a realistic attack vector. Unpatched systems remain vulnerable to opportunistic attacks.
Affected systems
Adobe Acrobat Reader DC and Acrobat DC are affected on both Windows and macOS platforms. Specifically, versions 24.001.30365, 26.001.21651, and all earlier versions carry the vulnerability. Verify your installed version and platform against Adobe's official advisory to confirm exposure.
Exploitability
This vulnerability requires user interaction—a victim must open a malicious file. No remote, unauthenticated exploitation is possible without social engineering or drive-by delivery. The attacker typically embeds malicious code within a specially crafted PDF or document that, when opened in vulnerable Acrobat Reader versions, triggers the use-after-free condition. The CVSS vector reflects that no elevated privileges are needed pre-exploitation, and once triggered, the attacker gains full code execution capabilities of the current user. The vulnerability has not been added to CISA's Known Exploited Vulnerabilities catalog as of the current data, though active exploitation cannot be ruled out.
Remediation
Update Adobe Acrobat Reader to a patched version released on or after June 17, 2026. Adobe typically releases updates through their regular patch cycles; consult the official Adobe security advisory for specific version numbers to upgrade to. Implement application whitelisting or disable JavaScript execution in Acrobat Reader if business processes permit. Additionally, educate users to be cautious when opening unsolicited PDF attachments or files from untrusted sources.
Patch guidance
Apply Adobe's official security updates for Acrobat Reader as soon as practicable. Updates should be available through Adobe's automatic update mechanism (Enable Updates in Acrobat preferences) or manual download from adobe.com/security. Test patches in a controlled environment before widespread deployment to ensure compatibility with workflows and integrations. Verify the installed version post-patch against the advisory to confirm successful remediation.
Detection guidance
Monitor for suspicious Acrobat Reader process behavior, including unexpected child process spawning, network connections from the application, or registry modifications. Log file opens of unusual PDF files or those from unexpected sources. Endpoint Detection and Response (EDR) tools should flag use-after-free exploitation attempts if they include memory corruption signatures. Review email gateway logs for PDF attachments from external senders, particularly those with obfuscated or suspicious content. Correlate Acrobat Reader crashes or unresponsive processes with timeline of document opens.
Why prioritize this
This vulnerability merits high priority due to its high CVSS score (7.8), full code execution impact, and prevalence of Acrobat Reader across enterprises. While user interaction is required, phishing and social engineering remain effective delivery mechanisms. The broad Windows and macOS support means most organizations have exposed systems. Rapid patching reduces the attack surface before adversaries shift to widespread exploitation campaigns.
Risk score, explained
The CVSS 3.1 score of 7.8 (HIGH) reflects a use-after-free flaw enabling arbitrary code execution with high impact to confidentiality, integrity, and availability. The local attack vector (AV:L) acknowledges that exploitation requires file system access or document delivery. The requirement for user interaction (UI:R) prevents automatic exploitation but does not substantially lower risk given the ubiquity of Acrobat and prevalence of phishing. No privilege escalation is needed (PR:N), meaning a regular user's session is sufficient for code execution. The attack complexity is low (AC:L), indicating the vulnerability is likely straightforward to exploit once triggered.
Frequently asked questions
Can this vulnerability be exploited without user interaction?
No. Exploitation requires a user to open a malicious file in Acrobat Reader. Automated, network-based attacks are not possible with this flaw alone.
Which versions of Acrobat Reader are affected?
Adobe Acrobat Reader versions 24.001.30365, 26.001.21651, and all earlier versions are vulnerable. Consult the official Adobe security advisory for the exact patched version numbers.
What should we prioritize—patching Acrobat Reader or other systems?
Given the 7.8 CVSS score and code execution impact, Acrobat Reader patching should be in your top tier. However, continue applying critical patches to operating systems and other high-risk applications in parallel; a comprehensive patch management program is essential.
If we disable Acrobat Reader, are we safe?
Disabling or uninstalling Acrobat Reader eliminates this specific threat, but many organizations require it for legitimate document workflows. Application whitelisting, user training, and timely patching are more practical layers of defense.
This analysis is based on publicly available vulnerability data current as of June 17, 2026. Specific patch version numbers, timelines, and vendor advisories should be verified directly with Adobe's official security announcements. Organizations should validate applicability to their environment and conduct testing before deploying patches. This explainer is for informational purposes and does not constitute professional security advice; consult your security team or a qualified professional for guidance specific to your infrastructure and risk posture. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-34696HIGHAdobe InDesign Use After Free Remote Code Execution Vulnerability
- CVE-2026-47912HIGHAdobe Acrobat Reader Use-After-Free Remote Code Execution
- CVE-2026-47913HIGHAcrobat Reader Use-After-Free Code Execution Vulnerability
- CVE-2026-47914HIGHAcrobat Reader Use-After-Free Code Execution Vulnerability
- CVE-2026-47915HIGHAdobe Acrobat Reader Use-After-Free Code Execution Vulnerability
- CVE-2026-47916HIGHAdobe Acrobat Reader Use-After-Free Vulnerability (7.8 HIGH)
- CVE-2026-47917HIGHAcrobat Reader Use-After-Free RCE Vulnerability
- CVE-2026-47919HIGHAdobe Acrobat Reader Use-After-Free Code Execution Vulnerability