CVE-2026-47955: Adobe Acrobat Reader Use After Free Code Execution Vulnerability
A Use After Free flaw in Adobe Acrobat Reader allows an attacker to execute arbitrary code on a victim's computer. The vulnerability exists in specific versions of Reader (24.001.30365, 26.001.21651 and earlier) and requires the victim to open a specially crafted malicious file. Once exploited, the attacker gains the same privileges as the user running the application, potentially allowing them to steal data, install malware, or modify documents.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 5 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-47955 is a Use After Free (CWE-416) memory corruption vulnerability in Adobe Acrobat Reader. This class of defect occurs when code attempts to access memory that has already been freed, which can be exploited to corrupt the heap and redirect execution flow. The vulnerability manifests in Acrobat Reader versions 24.001.30365 and 26.001.21651 or earlier. Exploitation requires user interaction—specifically, opening a malicious PDF or similar document—but once triggered, allows arbitrary code execution within the security context of the application and logged-in user. The CVSS v3.1 score of 7.8 (HIGH) reflects high impact across confidentiality, integrity, and availability, with local attack vector and no privilege escalation requirement.
Business impact
This vulnerability poses a direct risk to organizations where users frequently handle PDF documents from external or untrusted sources. Successful exploitation could lead to data exfiltration, unauthorized document modification, credential theft, and lateral movement within a network if the affected user account has elevated privileges. Industries reliant on secure document handling—legal, financial, healthcare—face heightened risk. The need for user interaction (opening a file) means social engineering or spear-phishing campaigns targeting file distribution are viable attack vectors.
Affected systems
Adobe Acrobat Reader DC and Adobe Acrobat DC are directly affected on Windows and macOS platforms in versions 24.001.30365 and 26.001.21651 or earlier. The vulnerability also impacts other Acrobat products. Both consumer and enterprise deployments of these applications are in scope. Organizations using auto-update features may have already received patches; those with deferred or manual update processes face active exposure.
Exploitability
While the vulnerability requires user interaction (opening a malicious file), this does not significantly impede real-world exploitation. Attackers can distribute malicious PDFs via email, file-sharing platforms, or compromised websites using social engineering tactics. The use-after-free condition is reliably triggerable in affected versions, and successful exploitation grants code execution at the application level. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, but the HIGH CVSS score and ease of weaponization mean it is attractive to threat actors. Proof-of-concept development is likely underway or complete in private threat communities.
Remediation
Adobe has released patches for affected versions. Organizations should immediately update Acrobat Reader to a patched version released after June 2026. Verify the exact patched version numbers through Adobe's official security advisory. Interim mitigation includes disabling or restricting PDF opening from untrusted sources, running Reader in a sandboxed environment if available, and blocking known malicious file hashes via endpoint protection. User awareness training on the risks of opening unsolicited attachments is essential.
Patch guidance
Consult Adobe's official security bulletin for the specific patched version numbers applicable to your deployment (e.g., Reader DC or Acrobat DC on Windows or macOS). Verify patch applicability against your current version number (compare against the vulnerable versions 24.001.30365, 26.001.21651 and earlier). Enable automatic updates where feasible; if manual patching, prioritize systems used by high-value targets such as executives, legal staff, or finance teams. Test patches in a non-production environment before enterprise rollout to ensure compatibility with existing workflows and plugins.
Detection guidance
Monitor for anomalous process behavior spawned from Acrobat Reader or Acrobat DC processes, particularly suspicious child processes, network connections, or file system modifications. Endpoint Detection and Response (EDR) solutions should flag Use After Free exploits via memory corruption signatures. Log and alert on failed or successful exploitation attempts via application crash dumps or OS-level security events. Network segmentation can limit lateral movement if Reader is compromised. Consider blocking or quarantining PDF files from high-risk sources at the email gateway. Endpoint protection signatures for this CVE should be deployed as vendors release them.
Why prioritize this
A HIGH-severity, locally-exploitable arbitrary code execution vulnerability in ubiquitous software (PDF readers are industry-standard) warrants immediate patching. The reliance on user interaction is a minor limiting factor given the prevalence of spear-phishing and social engineering. Organizations should treat this as a critical patching priority within their vulnerability management workflow, alongside other remote code execution flaws, particularly in segments where document handling is frequent.
Risk score, explained
The CVSS v3.1 score of 7.8 (HIGH) reflects the confluence of high-impact outcomes (confidentiality, integrity, availability all affected), local attack vector, low attack complexity, no privilege escalation, and required user interaction. The score appropriately captures the practical risk: while user action is needed, successful exploitation grants near-total system compromise at the application level. Organizations operating in high-security or high-trust environments should consider this a critical finding.
Frequently asked questions
Does this vulnerability require administrative privileges to exploit?
No. The vulnerability requires only that a user open a malicious file. The attacker's code runs in the context of the user who opened the file; if that user is an administrator, the compromise is more severe, but standard users are also at risk.
Are there known exploits or proof-of-concept code publicly available?
As of the publication date, this vulnerability is not listed in the CISA KEV catalog, suggesting active weaponization has not been publicly confirmed. However, organizations should assume threat actors are developing or have developed exploits given the HIGH severity and straightforward attack vector.
Can I mitigate this without patching immediately?
Interim mitigations include disabling PDF opening from email or untrusted sources, running Acrobat in a sandbox or restricted environment, and leveraging endpoint protection. However, patching is the definitive remediation and should be prioritized. Patching cannot be indefinitely postponed.
Which Acrobat products are affected?
Adobe Acrobat Reader DC and Adobe Acrobat DC on Windows and macOS are the primary targets. Verify your product version and confirm its presence in the list of vulnerable versions (24.001.30365, 26.001.21651 and earlier) by checking Adobe's security advisory.
This analysis is provided for informational purposes. Patch version numbers and official remediation steps must be verified against Adobe's official security advisories and vendor documentation. Exploitation details and proof-of-concept code are not provided in this summary. Organizations are responsible for assessing their own risk and implementing appropriate controls. SEC.co makes no warranties regarding the accuracy or completeness of this intelligence and recommends consulting with Adobe support and your internal security team before deploying patches. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-34696HIGHAdobe InDesign Use After Free Remote Code Execution Vulnerability
- CVE-2026-47912HIGHAdobe Acrobat Reader Use-After-Free Remote Code Execution
- CVE-2026-47913HIGHAcrobat Reader Use-After-Free Code Execution Vulnerability
- CVE-2026-47914HIGHAcrobat Reader Use-After-Free Code Execution Vulnerability
- CVE-2026-47915HIGHAdobe Acrobat Reader Use-After-Free Code Execution Vulnerability
- CVE-2026-47916HIGHAdobe Acrobat Reader Use-After-Free Vulnerability (7.8 HIGH)
- CVE-2026-47917HIGHAcrobat Reader Use-After-Free RCE Vulnerability
- CVE-2026-47918HIGHAcrobat Reader Use-After-Free Remote Code Execution Vulnerability