MEDIUM 5.5

CVE-2026-47961: Adobe Acrobat Reader Out-of-Bounds Memory Disclosure Vulnerability

Adobe Acrobat Reader contains an out-of-bounds read flaw that allows attackers to extract sensitive data from system memory. The vulnerability requires user interaction—specifically, opening a malicious PDF or document file. When triggered, the flaw exposes unintended memory contents that could include confidential information resident in the application's process space.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-125
Affected products
5 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to disclose sensitive information. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-47961 is an out-of-bounds read vulnerability (CWE-125) in Adobe Acrobat Reader affecting versions 24.001.30365, 26.001.21651, and earlier on Windows and macOS platforms. The vulnerability stems from improper bounds checking during memory access operations. When a specially crafted file is opened, the application reads beyond allocated buffer boundaries, causing disclosure of adjacent memory regions. The CVSS 3.1 score of 5.5 (MEDIUM) reflects high confidentiality impact with no integrity or availability compromise, constrained by the local attack vector and user interaction requirement.

Business impact

This vulnerability poses a moderate but concrete data exfiltration risk to organizations where users regularly handle PDF files or Acrobat documents. Attackers could craft malicious documents designed to leak credentials, authentication tokens, API keys, or other secrets resident in Acrobat Reader's memory during document processing. The risk is amplified in environments handling sensitive contract review, financial documentation, or internal communications. However, the requirement for user interaction limits the attack surface compared to remote code execution flaws.

Affected systems

Adobe Acrobat Reader versions 24.001.30365 and earlier, as well as version 26.001.21651 and earlier, are vulnerable on both Windows and macOS systems. Organizations should verify their deployed versions against Adobe's advisories. Apple macOS and Microsoft Windows platforms are confirmed affected; check with your internal asset inventory for Acrobat Reader deployment scope.

Exploitability

This vulnerability is not currently tracked on the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting active exploitation in the wild has not been formally documented at publication. Exploitation requires user interaction and local file access, making opportunistic mass exploitation unlikely. However, targeted spear-phishing campaigns distributing malicious PDFs to specific employees could be feasible. The moderate CVSS score and information-disclosure-only impact make this less attractive to ransomware operators than remote code execution flaws.

Remediation

Update Adobe Acrobat Reader to patched versions beyond 24.001.30365 and 26.001.21651 respectively. Verify the exact patch version against Adobe's security bulletin, as version numbering may differ between release tracks. Organizations should prioritize patching systems used by high-value targets (finance, legal, executive staff) who handle sensitive documents. Implement application controls restricting Acrobat Reader's execution on high-risk systems if feasible.

Patch guidance

Obtain patches directly from Adobe's official security advisories and update management portal. Do not rely on third-party sources. For Windows deployments, use Adobe's Update Manager or deploy patches via your MDM solution. macOS users should enable automatic updates or manually download from Adobe's website. Test patches in non-production environments first, particularly with legacy document workflows, to ensure compatibility. Verify successful patch deployment by confirming version numbers post-update.

Detection guidance

Monitor for unusual process behavior from Acrobat Reader, including unexpected memory access patterns or file reads. Endpoint Detection and Response (EDR) tools should flag attempts to open suspicious PDF files from external or untrusted sources. Implement file integrity monitoring on document repositories to detect malicious document injection. Network-based detection is limited given the local attack vector, but monitor for exfiltration of sensitive data following Acrobat Reader process execution. Behavioral analytics may detect memory-dumping activities associated with exploitation attempts.

Why prioritize this

While the CVSS score is moderate (5.5), prioritize this based on organizational risk tolerance for data disclosure and the prevalence of Acrobat Reader in your environment. Prioritize higher if your organization handles regulated data (HIPAA, PCI-DSS, GDPR) or if document workflows are business-critical. The user-interaction requirement provides some natural friction, but well-targeted phishing can overcome this. Deprioritize only if Acrobat Reader is not widely deployed or if strong user security awareness training is in place.

Risk score, explained

The CVSS 3.1 score of 5.5 reflects a MEDIUM severity classification based on: high confidentiality impact (C:H) due to unrestricted memory disclosure, no integrity or availability impact (I:N, A:N), local attack vector (AV:L) constraining reach to local attackers or compromised systems, low attack complexity (AC:L) indicating straightforward exploitation, and required user interaction (UI:R) as a mitigating factor. The score appropriately places this below critical remote code execution flaws but above low-impact issues.

Frequently asked questions

Could this vulnerability be exploited remotely?

No. The attack vector is local (AV:L), meaning an attacker must either have local system access or trick a user into opening a malicious file on the target system. Remote exploitation without user interaction is not possible with this vulnerability.

What information could be disclosed?

The out-of-bounds read exposes whatever data is adjacent to the memory region being accessed by Acrobat Reader. This could include sensitive information such as credentials, encryption keys, session tokens, or data from other processes depending on memory layout and what is currently resident in the application's address space.

Is this vulnerability being actively exploited?

As of the publication date, this vulnerability is not listed on the CISA KEV catalog, indicating no confirmed active exploitation in the wild. However, this does not guarantee the flaw will not be exploited in targeted campaigns, particularly against high-value targets.

Do I need to update immediately?

Patch urgently if your organization handles sensitive documents or if users in high-risk roles (finance, legal, executive) use Acrobat Reader. For general deployments with standard document workflows, schedule patches within your standard update cycle. Do not delay indefinitely, as the attack surface may grow over time.

This analysis is based on published vulnerability data as of June 2026. Organizations must verify affected version numbers, patch availability, and remediation timelines against official Adobe security advisories and their own internal asset inventories. This summary does not constitute legal or compliance advice. Always test patches in non-production environments before broad deployment. Risk assessments should be tailored to your organization's specific security posture, data classification, and regulatory obligations. SEC.co makes no warranty regarding the completeness or accuracy of remediation steps and recommends consulting official vendor documentation and engaging qualified security professionals for implementation. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).