HIGH 7.7

CVE-2026-47937: Adobe Acrobat Reader Uncontrolled Search Path Code Execution

Adobe Acrobat Reader contains a flaw in how it searches for and loads libraries or components from the file system. An attacker with administrator or elevated system privileges could craft a malicious file that, when opened by a user, tricks the application into running attacker-controlled code with the same permissions as the user who opened the file. The vulnerability requires both high system privileges to set up and user action to trigger—someone must explicitly open the crafted file.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.7 HIGH · CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
Weaknesses (CWE)
CWE-427
Affected products
5 configuration(s)
Published / Modified
2026-06-09 / 2026-06-29

NVD description (verbatim)

Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by an Uncontrolled Search Path Element vulnerability that could result in arbitrary code execution in the context of the current user. An attacker with high privileges could exploit this vulnerability to execute arbitrary code. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-47937 is an Uncontrolled Search Path Element vulnerability (CWE-427) affecting Adobe Acrobat Reader on Windows and macOS platforms. The flaw allows an attacker with high privileges to influence the search path used by Acrobat Reader when loading external libraries or resources. By planting a malicious component in a location that Acrobat Reader searches before legitimate system directories, an attacker can achieve arbitrary code execution in the security context of the user running the application. The vulnerability's scope is marked as changed, indicating that exploitation can affect resources or processes beyond the vulnerable component itself. User interaction—opening a malicious PDF or document—is required to trigger the vulnerability.

Business impact

Organizations relying on Acrobat Reader for document handling face a potential code execution risk, particularly in environments where high-privilege accounts regularly open documents from untrusted or semi-trusted sources. While the attack requires elevated system privileges to stage, the ability to execute arbitrary code in the user's context could lead to data exfiltration, lateral movement, malware installation, or system compromise. The scope change suggests potential for privilege escalation or system-wide impact depending on the user's role. Industries handling sensitive documents—legal, finance, healthcare—should treat this with appropriate urgency.

Affected systems

Adobe Acrobat Reader versions 24.001.30365, 26.001.21651, and earlier are affected. The vulnerability impacts both Acrobat Reader DC and standalone Acrobat across Windows and macOS operating systems. Users of Acrobat (the full authoring suite) should also verify their version status against Adobe's advisory. Apple macOS and Microsoft Windows are the confirmed platforms; other operating systems or Acrobat variants require verification against vendor guidance.

Exploitability

Exploitation is feasible but operationally constrained. An attacker must already possess high-level system privileges to manipulate the search path or place malicious components in locations Acrobat Reader will load. This significantly raises the bar compared to remote or unprivileged attacks. However, once positioned, the exploit is reliable—it simply requires a user to open a crafted file, making it practical in targeted scenarios such as supply chain attacks, insider threats, or compromised systems where an attacker has already gained elevated access. The vulnerability is not currently tracked in CISA's Known Exploited Vulnerabilities catalog, suggesting limited public weaponization to date.

Remediation

Adobe has released patched versions addressing this vulnerability. Users should upgrade Acrobat Reader and Acrobat to versions newer than 24.001.30365 and 26.001.21651 respectively. Consult Adobe's official security advisory to confirm the exact patch version for your platform and deployment model. Until patching is complete, organizations should enforce the principle of least privilege to limit who holds high-privilege accounts, restrict document sources to trusted origins, and consider sandboxing or isolated environments for users who must open documents from external sources.

Patch guidance

Verify the latest patched version against Adobe's official security advisory, as version numbers may continue to increment beyond the affected versions listed. Deploy patches through your organization's standard software update channels—Windows Update for Windows deployments, Software Update for macOS, or Adobe's centralized management tools for enterprise Acrobat installations. Prioritize systems where high-privilege users regularly handle external documents. Test patches in a non-production environment first to ensure compatibility with document workflows and any custom Acrobat plugins.

Detection guidance

Monitor file system access patterns for suspicious library or DLL loads from unexpected locations, particularly in temporary directories or user-writable paths. Endpoint detection and response (EDR) tools should flag Acrobat Reader spawning child processes or loading unsigned binaries. Review audit logs for file creation in directories that precede system library search paths. On Windows, monitor registry modifications that alter DLL search order. On macOS, watch for dylib injection attempts or unusual RPATH/RUNPATH modifications in Acrobat processes. Behavioral analysis of Acrobat Reader opening documents from untrusted sources should trigger investigation.

Why prioritize this

This vulnerability merits HIGH priority because it enables arbitrary code execution with user-level privileges in a widely-deployed desktop application. The scope change suggests potential for broader system impact. However, the dual requirement for high system privileges and user interaction provides a slight operational constraint that prevents this from being CRITICAL in most environments. Organizations should patch within 30 days, with faster timelines for systems handling sensitive documents or in high-risk threat models.

Risk score, explained

The CVSS 3.1 score of 7.7 (HIGH) reflects the combination of local attack vector, high privilege requirement, required user interaction, and high impact across confidentiality, integrity, and availability. The score appropriately penalizes the attack surface by requiring both elevated system privileges and user action, lowering it from critical. The scope change (S:C) indicates that exploitation can compromise security properties beyond Acrobat itself, justifying the upper end of the HIGH range. Organizations with mature EDR and privilege management may assess their environmental risk as somewhat lower, but the inherent severity remains HIGH.

Frequently asked questions

Do I need administrative privileges to be exploited by this vulnerability?

No, but the attacker does. An attacker with high system privileges (such as administrator or system account access) can stage the malicious components. The user being attacked only needs normal user privileges to open a document, making this a realistic threat in scenarios where an attacker has already compromised a high-privilege account or is an insider.

Is this vulnerability actively being exploited in the wild?

As of the last update, CVE-2026-47937 is not listed in CISA's Known Exploited Vulnerabilities catalog, suggesting that public, weaponized exploits are not widespread. However, targeted or private exploitation cannot be ruled out, and early awareness and patching remain prudent.

Can this vulnerability be exploited remotely?

No. The attack vector is local, meaning the attacker and victim must share access to the same system or the victim must open a file delivered via email or download. Remote code execution is not possible from this vulnerability alone.

What should I do if I cannot patch immediately?

Implement compensating controls: enforce the principle of least privilege to minimize high-privilege accounts, restrict document sources to trusted vendors, educate users to be cautious with unexpected file attachments, and consider sandboxing Acrobat Reader in isolated virtual machines for high-risk documents. Monitor for suspicious Acrobat behavior using EDR tools.

This analysis is based on publicly available information current as of the vulnerability publication date. Specific patch version numbers, timelines, and product support status should be verified directly against Adobe's official security advisory and product documentation. Environmental risk may vary based on organizational controls, threat model, and deployment configuration. This is not a substitute for professional security assessment or vendor guidance. SEC.co makes no warranty regarding the completeness or accuracy of derived information beyond the source data provided. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).