CVE-2026-47923: Adobe Acrobat Reader Out-of-Bounds Memory Read – Information Disclosure Risk
Adobe Acrobat Reader contains a flaw that allows an attacker to read sensitive data from a user's computer memory by tricking them into opening a specially crafted file. The vulnerability doesn't damage files or prevent the application from running, but it could expose confidential information like passwords, encryption keys, or personal data that happens to be in memory at the time of exploitation. Versions 24.001.30365, 26.001.21651 and earlier on Windows and macOS are affected.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-125
- Affected products
- 5 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to disclose sensitive information. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This out-of-bounds read vulnerability (CWE-125) in Adobe Acrobat Reader permits attackers to access memory beyond intended boundaries when processing malicious PDF or document files. By crafting a file that triggers improper bounds checking in the application, an attacker can read adjacent memory regions, potentially exfiltrating sensitive data. The attack requires user interaction—the victim must open the malicious file—making it a client-side attack vector. The vulnerability affects multiple versions across Adobe Acrobat DC, Acrobat Reader DC, and standalone Acrobat products on Windows and macOS platforms.
Business impact
Organizations relying on Adobe Reader for document workflows face a data disclosure risk. Sensitive documents processed by affected users—including contracts, financial records, or confidential communications—could expose not just file contents but also sensitive data cached in memory during document processing. For enterprises handling regulated data (healthcare, financial, legal), this creates compliance and incident response obligations. While exploitation requires user interaction, the prevalence of PDF as a document standard and the potential for targeted spear-phishing with malicious PDFs make this a realistic threat in most environments.
Affected systems
Adobe Acrobat Reader DC, Adobe Acrobat DC, and standalone Adobe Acrobat products at version 24.001.30365, 26.001.21651 and earlier are vulnerable. The issue affects both Windows and macOS systems. Users on the latest patched versions are not impacted. Organizations should verify their internal Acrobat/Reader version distribution to scope exposure.
Exploitability
Exploitability requires user interaction—a victim must open a malicious file. There is no evidence of active exploitation (the vulnerability is not on the CISA Known Exploited Vulnerabilities list), and no public exploit code is documented. However, the attack surface is broad: PDFs are ubiquitous in business communication, and social engineering or targeted phishing campaigns could reliably deliver malicious files to users. The barrier to exploitation is moderate; an attacker needs to craft a specially formed file but does not require authentication or special system access.
Remediation
Update Adobe Acrobat Reader, Acrobat DC, and Acrobat to versions after 24.001.30365 and 26.001.21651 respectively. Adobe typically releases security updates monthly; verify the exact patched version numbers against the official Adobe security advisory. For enterprises, prioritize patching on systems handling sensitive or regulated data. Consider complementary controls: educate users to avoid opening files from untrusted sources, disable automatic PDF opening in email clients, and enforce file type restrictions where feasible.
Patch guidance
Apply the latest Adobe security updates immediately for affected products. Adobe provides both auto-update and manual patch options through their Security Updates page. Organizations managing Acrobat deployments should verify patched version numbers in Adobe's official advisory to ensure builds exceed the vulnerable thresholds (24.001.30365 and 26.001.21651). Test patches in a staging environment before broad rollout to ensure compatibility with document workflows and integrations. For macOS users, verify compatibility with the OS version; for Windows, check whether EMET or other memory protections are in place (they may mitigate but do not eliminate the risk).
Detection guidance
Monitor for Adobe Acrobat/Reader crashes or unexpected memory access patterns after opening specific documents. Endpoint Detection and Response (EDR) tools can flag abnormal process memory reads, though signature-based detection of the malicious PDF construct may be limited without vendor-provided indicators. In network logs, look for suspicious outbound connections immediately following document processing—a sign of data exfiltration. Forensic analysis of crash dumps or memory forensics on affected systems may reveal memory contents that were read. Security teams should correlate Adobe update lag with user segments to identify high-risk populations still on older versions.
Why prioritize this
Although the CVSS score is 5.5 (Medium), the practical risk is elevated by the ubiquity of Adobe Reader in enterprise environments, the low barrier to user-targeted exploitation, and the sensitive nature of data that could be exposed from memory. Prioritize systems and users handling regulated or high-value data (finance, legal, healthcare divisions). The lack of active exploitation provides a window to patch without immediate emergency-level urgency, but the user-interaction requirement means that defensive user awareness alone is insufficient.
Risk score, explained
CVSS 3.1 score of 5.5 reflects a local attack vector requiring user interaction, no privilege escalation, and impact limited to confidentiality (information disclosure). No integrity or availability impact raises the severity threshold. However, the score does not account for the breadth of Acrobat's installed base, the targeting risk posed by PDF as a delivery vector, or the sensitivity of in-memory data that could be leaked. Organizations should adjust their internal risk rating upward if users regularly process sensitive documents.
Frequently asked questions
Can this vulnerability be exploited remotely over the network?
No. The attack vector is local (AV:L in the CVSS vector), meaning the malicious file must be opened on the victim's system. Exploitation cannot occur by simply viewing a PDF in a web browser or email preview; the file must be opened in a vulnerable version of Adobe Reader or Acrobat. Remote delivery via email or a compromised website is possible, but execution requires the user to open the attachment.
What data can be stolen if this vulnerability is exploited?
An attacker can read memory adjacent to the intended memory region, potentially exposing any data in RAM at that moment—encryption keys, passwords, session tokens, clipboard contents, or sensitive text from other open applications. The specific data depends on what is in memory and how much the attacker can read. In a targeted attack, an attacker might craft the exploit to target a specific application or document processing scenario.
Is there a temporary workaround if I cannot patch immediately?
There is no perfect workaround, but risk can be reduced by: restricting use of Adobe Reader to trusted, vetted documents only; disabling auto-opening of PDFs in email clients; using web-based PDF viewers (Google Drive, Office 365) for untrusted files; and implementing endpoint monitoring to detect suspicious behavior. These measures lower risk but do not eliminate it; patching is the definitive fix.
How do I verify which version of Adobe Reader I have installed?
In Adobe Reader or Acrobat, open Help > About Adobe Acrobat Reader (or Acrobat). The version number will be displayed (e.g., 24.001.30365). Compare it against the vulnerable versions listed in the advisory. If your version is higher than 24.001.30365 or 26.001.21651, you are not affected. Consult Adobe's official security update page for the exact patched version numbers available for your platform.
This analysis is provided for informational purposes to support vulnerability management and risk assessment. SEC.co makes no warranty regarding the accuracy, completeness, or timeliness of this content. Vulnerability details, patch availability, and affected product versions should be verified against official vendor advisories and security bulletins before taking remediation action. Users are responsible for assessing their own environment and applying appropriate mitigations in accordance with their security policies and regulatory obligations. This content does not constitute legal or compliance advice. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-34705MEDIUMAdobe InDesign Out-of-Bounds Memory Read Vulnerability
- CVE-2026-47926MEDIUMAdobe Acrobat Reader Memory Disclosure Vulnerability
- CVE-2026-47961MEDIUMAdobe Acrobat Reader Out-of-Bounds Memory Disclosure Vulnerability
- CVE-2026-10998MEDIUMChrome Media Out-of-Bounds Memory Read Vulnerability
- CVE-2026-11004MEDIUMChrome ANGLE Out-of-Bounds Read Memory Disclosure
- CVE-2026-11006MEDIUMChrome Out-of-Bounds Read in Dawn Graphics API—Urgent Patch Required
- CVE-2026-11075MEDIUMOut-of-Bounds Read in Chrome V8 Engine – Memory Disclosure Vulnerability
- CVE-2026-11090MEDIUMChrome ANGLE Memory Leak Enables Cross-Origin Data Theft