HIGH 7.8

CVE-2026-47920: Adobe Acrobat Reader Use-After-Free RCE Vulnerability Analysis

Adobe Acrobat Reader contains a use-after-free memory vulnerability that allows an attacker to execute arbitrary code with the privileges of the user opening a malicious PDF file. The vulnerability affects Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier on both Windows and macOS. Successful exploitation requires social engineering to convince a user to open a specially crafted document, but once opened, the attacker gains full code execution in that user's security context.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
5 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-47920 is a use-after-free vulnerability (CWE-416) in Adobe Acrobat Reader that allows memory corruption and subsequent arbitrary code execution. The vulnerability exists in versions 24.001.30365 and 26.001.21651 or earlier. The flaw occurs when Acrobat Reader processes a malicious PDF file, causing the application to reference memory that has already been freed. This memory safety violation enables an attacker to overwrite freed memory and redirect code execution. The attack surface is local (AV:L) and does not require elevated privileges (PR:N), but does require user interaction (UI:R) to open the malicious file.

Business impact

Organizations relying on Acrobat Reader for document processing face risk of data theft, ransomware infection, and unauthorized system access. Because exploitation requires only that a user open a file, the attack vector is particularly effective in email-based phishing campaigns or compromised file-sharing services. A successful breach could lead to loss of confidentiality, integrity, and availability across affected systems. Remote workers and contractors who frequently receive PDF documents from external parties are at elevated risk. Incident response costs, regulatory notification obligations, and business disruption amplify the financial impact.

Affected systems

The vulnerability affects Adobe Acrobat Reader DC and Adobe Acrobat (standard and Pro editions) on Windows and macOS platforms. All systems running Acrobat Reader version 24.001.30365 or earlier, or version 26.001.21651 or earlier, are in scope. Users of Acrobat's embedded PDF viewers in third-party applications may also be affected depending on which Acrobat version is bundled. Enterprise deployments utilizing centralized PDF handling or document management systems that rely on Acrobat Reader for rendering should assess their exposure across all endpoints.

Exploitability

Exploitation requires user interaction—specifically opening a malicious PDF document. No authentication is needed, and the attacker does not require network connectivity or elevated privileges. This low barrier to exploitation makes the vulnerability well-suited to phishing, watering hole attacks, and social engineering. Once a user opens the file, the use-after-free condition is triggered automatically, making reliable exploitation feasible for attackers with moderate skill. The vulnerability has not yet been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting active exploitation in the wild has not been publicly confirmed at this time, but this does not indicate the vulnerability is difficult to exploit.

Remediation

Users and administrators should immediately update Acrobat Reader to the latest available version beyond 24.001.30365 and 26.001.21651. Adobe typically releases updates monthly; verify the exact patch version in the vendor advisory. For organizations unable to patch immediately, implement compensating controls: disable or restrict PDF opening from untrusted sources, block PDF files in email gateways, and enforce file execution policies that prevent scripts and active content within PDFs. Consider requiring users to open PDFs in sandboxed or read-only viewers where feasible.

Patch guidance

Update to the latest version of Adobe Acrobat Reader DC and Adobe Acrobat beyond the affected versions (verify the specific patch version in Adobe's official security advisory). Patch management should prioritize systems where users regularly receive external PDFs: administrative staff, legal teams, finance departments, and remote workers. Test patches in a non-production environment first to ensure compatibility with any dependent applications or workflows. Enable automatic updates where possible to reduce the window of vulnerability. For organizations with centralized license management (volume licensing), coordinate updates through Adobe's deployment tools to ensure uniform coverage.

Detection guidance

Monitor endpoint security logs for unusual process execution spawned by Acrobat Reader, particularly child processes indicating code injection or shell spawning. Behavioral analytics can detect memory corruption attempts or heap spray attacks characteristic of use-after-free exploitation. Network indicators include unexpected outbound connections from Acrobat Reader to command-and-control servers. Email gateway logs should be reviewed for suspicious PDF attachments, particularly those with unusual naming patterns, metadata inconsistencies, or from new or spoofed senders. File integrity monitoring on system libraries and executables can reveal post-exploitation persistence mechanisms. Correlation of Acrobat Reader crashes with successful breach indicators warrants investigation, as the use-after-free may succeed silently without crashing on some systems.

Why prioritize this

This vulnerability merits immediate prioritization due to its high CVSS score (7.8), widespread user base of Acrobat Reader, and low exploitation barrier. The combination of high-impact outcomes (confidentiality, integrity, and availability compromise) with a user-interaction-only requirement makes it an attractive target for targeted phishing campaigns and mass exploitation. The absence of public KEV status does not reduce urgency—it reflects timing lag, not absence of threat. Organizations should treat this as a critical patch within 1–2 weeks of patch availability.

Risk score, explained

The CVSS 3.1 score of 7.8 (HIGH severity) reflects the vulnerability's characteristics: Local Attack Vector (AV:L, as the attacker must deliver a file to the target), Low Attack Complexity (AC:L, exploitation is reliable), No Privilege Requirement (PR:N), Required User Interaction (UI:R, opening the file), and impact to all three security properties—Confidentiality, Integrity, and Availability (C:H, I:H, A:H). The score appropriately captures the trade-off between the modest user-interaction requirement and the severe consequences of successful exploitation. The use-after-free class (CWE-416) is a well-understood, frequently exploited vulnerability type, supporting the HIGH severity assessment.

Frequently asked questions

Do I need to update if users only open PDFs from trusted internal sources?

Yes. While internal PDFs are lower-risk than external ones, a compromised or misconfigured system could still deliver malicious PDFs from within your network. Additionally, supply chain attacks have become common—'trusted' partners may be compromised. Patching eliminates the vulnerability entirely and is the only reliable defense.

What is the difference between Acrobat Reader DC and Adobe Acrobat Standard/Pro?

Acrobat Reader DC is the free viewer-only application. Adobe Acrobat Standard and Pro are paid products with editing and creation capabilities. All versions use the same underlying PDF rendering engine and are susceptible to this use-after-free vulnerability. All should be patched.

If Acrobat Reader crashes when opening a malicious PDF, does that mean the attack failed?

Not necessarily. A crash indicates the use-after-free condition was triggered, but crashes are not guaranteed. Successful exploitation may occur silently without any visible error. Users should report unexpected crashes to security teams, and crashed files should be quarantined for analysis.

Can I disable Acrobat Reader and use a different PDF viewer instead?

Yes. Alternative viewers (Edge, Chrome, Firefox built-in PDF readers, or third-party tools like Foxit or Sumatra) may not be affected by this specific vulnerability. Evaluate their security posture and feature requirements. However, some organizations require Acrobat for form processing, digital signatures, or compliance reasons, making replacement infeasible.

This analysis is provided for informational purposes and represents SEC.co's professional assessment based on publicly available information as of the publication date. Actual vulnerability details, patch versions, and vendor advisory timelines are subject to change. Organizations must verify patch applicability against Adobe's official security bulletins and test in their own environments before deploying to production. SEC.co makes no warranty regarding the completeness, accuracy, or timeliness of this information and assumes no liability for decisions made based on this analysis. Consult with Adobe support and your security team for environment-specific remediation guidance. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).