HIGH 7.8

CVE-2026-47921: Adobe Acrobat Reader Use-After-Free Code Execution Vulnerability

Adobe Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier contain a use-after-free memory vulnerability that allows attackers to execute arbitrary code with the privileges of the logged-in user. The attack requires social engineering—a victim must be tricked into opening a malicious PDF or related file. This is a practical threat because Acrobat Reader is ubiquitous in enterprise and consumer environments, and users routinely open files from untrusted sources.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
5 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability is a use-after-free (CWE-416) condition in Acrobat Reader's memory management. When processing specially crafted input, the application references memory that has already been freed, allowing an attacker to overwrite that region with malicious code or data structures. Upon execution of the freed memory, arbitrary code runs in the current user's security context. The vulnerability affects both Acrobat DC and Acrobat Reader DC on Windows and macOS platforms.

Business impact

Successful exploitation enables attackers to steal sensitive documents, deploy malware, establish persistence, or pivot to corporate networks. Since Acrobat is a primary vector for document-based attacks and many users process documents without hesitation, this vulnerability poses significant risk to confidentiality, integrity, and availability. Organizations relying on Acrobat for handling sensitive contracts, financial records, or intellectual property face direct exposure.

Affected systems

Adobe Acrobat DC, Adobe Acrobat Reader DC, and earlier versions up to the stated cutoffs are affected on both Windows and macOS. Verify your installed version against vendor advisories to determine exposure. Note that the vulnerability requires the vulnerable Acrobat application itself; the underlying OS (Windows, macOS) is not the root cause but is the execution platform.

Exploitability

This vulnerability is not yet listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the last modification date. However, the attack surface is broad because it requires only user interaction—no special privileges, no network access, and no complex configuration. The barrier to exploitation is low for attackers who can distribute a malicious file. Phishing campaigns, compromised document repositories, or supply-chain attacks are plausible delivery mechanisms.

Remediation

Update Acrobat Reader and Acrobat DC to versions newer than 24.001.30365 and 26.001.21651 respectively. Adobe will release patched versions; consult the Adobe Security Bulletin for exact build numbers and availability. Deploy updates via your software management tools as soon as patches are available. For users unable to immediately patch, reduce exposure by disabling unnecessary file preview features and educating staff on suspicious file sources.

Patch guidance

Prioritize patching this vulnerability given its HIGH severity rating and the broad user base exposed to Acrobat Reader. Adobe typically delivers updates through the built-in update mechanism; configure automatic updates if not already enabled. Test patches in a controlled environment before enterprise rollout to rule out compatibility issues with custom PDFs or plugins. Verify patched version numbers match the official Adobe advisory before considering systems remediated.

Detection guidance

Monitor for unusual Acrobat/Reader process behavior—abnormal child processes, unexpected network connections, or file system modifications following document opens. Endpoint detection and response (EDR) tools can flag suspicious memory access patterns or code execution originating from the Acrobat process. Network-level detection is limited since the vulnerability is local; focus on behavioral analytics and application-level telemetry. Logs indicating failed or attempted Adobe updates may reveal unpatched systems.

Why prioritize this

This is a HIGH-severity local code execution vulnerability in a ubiquitous application that requires only user interaction, not network access or special privileges. The combination of broad software deployment, low exploitation barriers, and the data sensitivity of documents processed by Acrobat makes this a near-term risk. Organizations should treat this as urgent and allocate resources to patch within days, not weeks.

Risk score, explained

CVSS 3.1 score of 7.8 (HIGH) reflects high impact (confidentiality, integrity, and availability all marked as high), local attack vector, and requirement for user interaction. The score appropriately captures that while exploitation requires social engineering, the consequences are severe—full arbitrary code execution in the user's context. The vulnerability does not currently appear in the KEV catalog, but organizations should not delay patching pending active exploit detection.

Frequently asked questions

Do I need to patch immediately, or can this wait?

Yes, patch as soon as practically possible. While this vulnerability is not yet in the CISA KEV list, the combination of high severity, broad exposure (Acrobat is nearly universal), and low exploitation barriers means attackers will likely develop functional exploits soon. Plan for deployment within 5–7 business days.

Are Acrobat DC and Acrobat Reader DC both vulnerable?

Yes, both product lines are affected up to the specified version numbers. Even if you use Acrobat Reader (the free version) instead of the subscription DC product, you must verify your build number against Adobe's advisory and patch accordingly.

What if I disable opening files from the internet or untrusted sources?

Restricting file opens is a prudent defense-in-depth control, but it is not a substitute for patching. Users will inevitably receive or open documents from email, collaboration tools, or document management systems. Treat this as a temporary risk reduction while patches are deployed.

Will updating my OS protect me if Acrobat is not patched?

No. The vulnerability resides in Acrobat Reader/DC itself, not in Windows or macOS. Patching your operating system will not remediate this issue; you must update Adobe's application.

This analysis is provided for informational purposes and is based on vendor disclosures and public data current as of the modification date. Exploit code or proof-of-concept details are not provided. Organizations must verify patch availability and compatibility within their own environment before deployment. SEC.co makes no warranty as to the completeness or accuracy of third-party vendor advisories. Always consult official Adobe Security Bulletins and your internal risk assessment before deciding on patch timelines. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).