HIGH 7.8

CVE-2026-47919: Adobe Acrobat Reader Use-After-Free Code Execution Vulnerability

Adobe Acrobat Reader contains a use-after-free flaw that allows an attacker to execute arbitrary code on a victim's computer. The attack requires the victim to open a specially crafted malicious PDF or document file. Once executed, the attacker gains the same privileges as the user running Acrobat Reader, potentially enabling data theft, system compromise, or further lateral movement.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
5 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-47919 is a use-after-free vulnerability (CWE-416) in Adobe Acrobat Reader affecting versions 24.001.30365, 26.001.21651 and earlier on Windows and macOS. Use-after-free flaws occur when a program references memory that has already been freed, allowing an attacker to manipulate that memory space and achieve code execution. The vulnerability manifests through parsing of specially constructed files, with successful exploitation resulting in arbitrary code execution in the user's security context.

Business impact

Organizations dependent on Acrobat Reader for document workflows face elevated risk of targeted compromise. A successful attack could lead to data exfiltration from documents processed by affected users, malware installation on workstations, or supply-chain attacks if attackers target document handlers within critical business processes. The requirement for user interaction makes this a vector for social engineering and targeted phishing campaigns leveraging malicious PDFs.

Affected systems

Adobe Acrobat Reader DC and Adobe Acrobat DC are impacted on both Windows and macOS platforms. Specific vulnerable versions include 24.001.30365, 26.001.21651, and all earlier versions of these releases. Organizations using standalone Acrobat Reader or the bundled Acrobat DC suite should assume exposure unless they have already updated beyond the vulnerable versions.

Exploitability

While the vulnerability itself is straightforward to trigger, real-world exploitation is gated by user interaction—a victim must open a malicious file. This reduces the attack surface compared to network-based flaws, but increases the likelihood of targeted attacks via email, document sharing platforms, or watering-hole techniques. No active exploitation in the wild has been confirmed as of the advisory publication, and the vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog.

Remediation

Adobe has released patched versions of Acrobat Reader and Acrobat DC. Organizations should apply updates to versions newer than 24.001.30365 and 26.001.21651 respectively. Verify the exact patch version against Adobe's official security bulletin. Interim controls include restricting Acrobat Reader to trusted document sources, disabling suspicious file type handling, and implementing application whitelisting to limit execution scope.

Patch guidance

Consult Adobe's official security advisory for the specific patch version numbers applicable to your deployment. Patches should be deployed on a priority basis across all endpoints running vulnerable versions, particularly those handling untrusted documents from external parties. Test patches in a non-production environment first, as Acrobat updates can occasionally introduce compatibility issues with legacy workflows or third-party plugins.

Detection guidance

Monitor for suspicious process execution spawned by Acrobat Reader, unusual memory access patterns, and file I/O activity immediately following document opens. Log all Acrobat Reader crashes and memory protection violations, as use-after-free exploits often trigger observable exceptions before achieving full code execution. Endpoint detection and response (EDR) tools should flag abnormal child process creation from AcroRd32.exe or Acrobat.exe.

Why prioritize this

This vulnerability scores 7.8 (HIGH) on CVSS 3.1 due to high confidentiality, integrity, and availability impact coupled with local attack vector and minimal complexity. While user interaction is required, the ease of weaponization through malicious documents, combined with Acrobat's prevalence in enterprise environments and the severity of potential code execution, warrants urgent patching. Organizations handling sensitive documents should treat this as high priority.

Risk score, explained

The CVSS 3.1 score of 7.8 reflects: local attack vector (AV:L) limiting initial access to users of the system; low attack complexity (AC:L) meaning standard file-crafting techniques suffice; user interaction required (UI:R) reducing but not eliminating risk; and high impact across confidentiality (C:H), integrity (I:H), and availability (A:H). The unchanged user scope (S:U) means no privilege escalation is needed—the attacker operates within existing user permissions.

Frequently asked questions

Do I need to patch all versions of Acrobat Reader or just DC?

Both. The vulnerability affects Adobe Acrobat Reader DC and Adobe Acrobat DC on Windows and macOS. Verify your current version and check Adobe's advisory for the specific patch applicable to your installation. Standalone and subscription-based deployments may have different update mechanics.

What should we do if we can't patch immediately?

Restrict users from opening Acrobat documents from untrusted external sources, disable document opening from email clients if feasible, and educate users to be suspicious of unexpected file attachments. Implement application allow-listing or sandboxing if your endpoint protection supports it. Prioritize patching for users who routinely handle documents from third parties or handle sensitive data.

Is this vulnerability being actively exploited in the wild?

As of the advisory publication date, this vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog, indicating no confirmed active exploitation at that time. However, the relative ease of weaponization through PDF attachments suggests opportunistic or targeted use is possible, so preventive patching remains essential.

How does this differ from other recent PDF vulnerabilities?

Use-after-free flaws like this one are particularly dangerous because they allow arbitrary code execution without requiring additional privilege escalation. The requirement for user interaction (opening a file) is the primary limiting factor. Compared to network-based PDF exploits, this is lower impact to the organization overall, but higher impact to affected individuals who open malicious files.

This analysis is based on information available as of June 2026 and the advisory data provided. Security researchers and organizations should consult Adobe's official security advisories for the most current patch version numbers, affected product list, and remediation guidance. Exploit code is not provided or endorsed by SEC.co. Organizations must conduct their own risk assessment based on their specific Acrobat Reader deployment, document handling practices, and user populations. This explainer does not constitute security advice for your organization; consult your security team for deployment-specific guidance. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).