CVE-2026-47926 Adobe Acrobat Reader Memory Disclosure Vulnerability
Adobe Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier contain a memory reading flaw that allows attackers to extract sensitive information from your system. The vulnerability requires a user to open a specially crafted malicious file, making social engineering a necessary component of any attack. While the flaw cannot be used to modify files or crash the application, the potential for exposing confidential data—such as encryption keys, credentials, or personal information resident in memory—presents a meaningful risk to organizations handling sensitive documents.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-125
- Affected products
- 5 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to disclose sensitive information. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This vulnerability is classified as an out-of-bounds read (CWE-125), where Acrobat Reader accesses memory regions beyond the bounds of an allocated buffer. The flaw exists in versions through 24.001.30365 on the legacy track and 26.001.21651 on the current track. The affected memory read has no authentication requirement and runs at the user's privilege level. Exploitation mandates user interaction—specifically, the victim must open a malicious PDF or related file crafted to trigger the out-of-bounds condition. Once triggered, the application may leak sensitive data from adjacent memory regions into attacker-controlled output channels, such as rendered content or file metadata accessible to the threat actor.
Business impact
Information disclosure vulnerabilities in widely-deployed document readers create organizational risk in several ways. Acrobat Reader's ubiquity means the attack surface spans nearly all office environments. A compromised document could leak trade secrets, source code, customer lists, or authentication tokens cached in memory during the session. For regulated industries (finance, healthcare, legal), unauthorized disclosure of confidential data may trigger breach notification obligations and regulatory penalties. The requirement for user interaction limits the attack scope to targeted campaigns, but the low barrier to exploitation—malicious PDFs are trivial to distribute via email—makes this a credible threat for spear-phishing and strategic document-based attacks.
Affected systems
Adobe Acrobat and Acrobat Reader DC versions 24.001.30365 and earlier (legacy continuous track) and 26.001.21651 and earlier (current continuous track) are affected. Both Windows and macOS deployments are vulnerable. Apple macOS and Microsoft Windows systems running these Acrobat versions are in scope. No server-side or cloud-only impact is documented; the vulnerability is local to the endpoint running the reader application.
Exploitability
The vulnerability is not yet in active public exploitation and has not been added to CISA's Known Exploited Vulnerabilities catalog. However, exploitability is moderate: the attack requires crafting a malicious file and user interaction to open it, but no special privilege escalation or complex manipulation is necessary once the file is opened. The out-of-bounds read itself is triggered automatically during normal file parsing. Targeted spear-phishing campaigns could easily weaponize this flaw. Organizations with robust email controls and user security awareness training can reduce but not eliminate risk, since legitimate-looking documents from trusted senders remain a viable vector.
Remediation
Update Acrobat Reader to versions newer than 24.001.30365 (legacy track) or 26.001.21651 (current track). Adobe typically releases patched versions within weeks of advisory publication. Check the Adobe security advisory directly for the specific patched version numbers and release schedule, as patch versions vary by track and operating system. Deploy updates via your standard patch management process, prioritizing systems used by high-risk user populations (executives, legal, finance) who handle sensitive documents.
Patch guidance
1. Identify which Acrobat Reader versions are deployed in your environment using endpoint management tools or manual audit. 2. Consult Adobe's official security advisory to confirm the patched version for your release track (legacy vs. current) and operating system. 3. Test the patch in a non-production environment to verify compatibility with plugins, workflows, and dependent systems. 4. Roll out updates through your centralized patch management system, prioritizing high-risk user populations. 5. For organizations unable to patch immediately, consider restricting opening of PDFs from untrusted sources and disabling automatic opening of email attachments.
Detection guidance
Endpoint detection and response (EDR) tools can monitor for unusual process behavior or memory access patterns associated with out-of-bounds reads, though detection is inherently difficult because the vulnerability triggers during normal file parsing. Monitor for Acrobat Reader crashing or abnormal termination when opening suspicious PDFs—though this vulnerability does not cause a crash, related exploitation attempts might. Network-level detection is unlikely to succeed since the attack is file-based. Behavioral analysis of user activity post-opening of PDFs from external sources may surface suspicious downstream actions (e.g., credential abuse or lateral movement) if memory leakage is leveraged. Implement application whitelisting for Acrobat Reader and restrict its ability to execute external scripts or connect to unexpected network resources.
Why prioritize this
This vulnerability merits prompt but not emergency remediation. The CVSS 3.1 score of 5.5 (MEDIUM) reflects the information disclosure impact and low attack complexity, offset by the requirement for user interaction and lack of integrity/availability impact. The absence of exploitation in the wild and non-KEV status reduce immediate urgency compared to critical remote-code-execution flaws. However, given Acrobat Reader's prevalence and the plausibility of targeted spear-phishing, security teams should not defer patching beyond 60–90 days. Organizations handling particularly sensitive data (M&A, litigation, healthcare, finance) should prioritize faster timelines.
Risk score, explained
The CVSS 3.1 score of 5.5 reflects a medium-severity vulnerability. The attack vector is local (AV:L), requiring the user to interact with a malicious file on their endpoint. Attack complexity is low (AC:L)—no special conditions or privilege escalation are needed. No special privileges (PR:N) are required to trigger the flaw. The impact is strictly to confidentiality (C:H)—memory contents may be disclosed—while integrity (I:N) and availability (A:N) are unaffected. The user scope is unchanged (S:U). The score appropriately captures a data exposure risk that is credible but constrained by user interaction and local scope, distinguishing it from network-exploitable or privilege-escalation flaws.
Frequently asked questions
Do I need to update immediately, or can this wait?
No emergency action is required. This is not in active exploit, nor is it a KEV entry. However, plan to deploy patches within 60–90 days, sooner if users in your organization regularly handle sensitive documents from external parties. Prioritize systems used by high-value targets (executives, legal, finance).
How would an attacker actually use this vulnerability?
An attacker would craft a malicious PDF designed to trigger the out-of-bounds read when opened. If the file is opened by the victim in Acrobat Reader, the flaw could leak sensitive data from memory—such as encryption keys, passwords, or confidential file content—that the attacker can then intercept. The attack requires social engineering (e.g., spear-phishing) to convince the user to open the file.
Why can't this be detected or prevented at the network level?
Because the vulnerability is triggered at the endpoint during local file parsing, not during network communication. Traditional network intrusion detection cannot see the contents of a file or monitor memory access on an end user's machine. Prevention relies on email controls, user training, and endpoint security tools rather than network defenses.
Do I need to block Acrobat Reader, or can I just patch?
Patching is the preferred and sufficient remediation. Blocking Acrobat Reader outright is not practical for most organizations. In the interim before patching is complete, consider restricting users' ability to open PDFs from untrusted external sources and disabling auto-opening of email attachments.
This analysis is provided for informational purposes and reflects the current state of publicly available information as of the publication date. CVSS scores, patch versions, and KEV status are sourced from official vendor advisories and CISA data. Security teams should verify patch availability and compatibility in their environment before deploying. No liability is accepted for the accuracy or completeness of this analysis or for any actions taken based on it. Consult Adobe's official security advisory and your vendor documentation for authoritative guidance. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-34705MEDIUMAdobe InDesign Out-of-Bounds Memory Read Vulnerability
- CVE-2026-47923MEDIUMAdobe Acrobat Reader Out-of-Bounds Memory Read – Information Disclosure Risk
- CVE-2026-47961MEDIUMAdobe Acrobat Reader Out-of-Bounds Memory Disclosure Vulnerability
- CVE-2026-10998MEDIUMChrome Media Out-of-Bounds Memory Read Vulnerability
- CVE-2026-11004MEDIUMChrome ANGLE Out-of-Bounds Read Memory Disclosure
- CVE-2026-11006MEDIUMChrome Out-of-Bounds Read in Dawn Graphics API—Urgent Patch Required
- CVE-2026-11075MEDIUMOut-of-Bounds Read in Chrome V8 Engine – Memory Disclosure Vulnerability
- CVE-2026-11090MEDIUMChrome ANGLE Memory Leak Enables Cross-Origin Data Theft