CVE-2026-27220 - Vulnerability Details

- Acrobat Reader | Use After Free (CWE-416)

Description

Acrobat Reader versions 24.001.30307, 24.001.30308, 25.001.21265 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Published: 2026-03-10

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Acrobat Reader versions up to 25.001.21265 suffer from a use‑after‑free flaw that allows arbitrary code execution when a user opens a malicious PDF or file. This flaw stems from improper memory management that frees memory too early, leaving a dangling pointer that an attacker can exploit to overwrite memory contents or execute code.

Affected Systems

The vulnerability affects Adobe Acrobat Reader Classic and Acrobat Reader DC on both Windows and macOS platforms. Specifically, versions 24.001.30307, 24.001.30308, 25.001.21265 and all earlier releases are vulnerable, placing any user who installs these versions at risk if they encounter an attacker‑crafted file.

Risk and Exploitability

With a CVSS score of 7.8 and an EPSS of less than 1%, the risk is high in severity but low in exploitation probability. The flaw requires active user interaction—opening a malicious file—so credential compromise or privileged execution is not needed. Adobe has issued a security patch, and users should apply the update immediately to eliminate the possibility of arbitrary code execution.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Adobe

Acrobat Reader

affected

Version	Status	Constraints
`0`	affected	≤ 25.001.21265

Configuration 1 [-]

AND

cpe:2.3:a:adobe:acrobat_dc:*:*:*:*:continuous:*:*:*

OR	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

Configuration 2 [-]

AND

cpe:2.3:a:adobe:acrobat_reader_dc:*:*:*:*:continuous:*:*:*

OR	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

Configuration 3 [-]

AND

cpe:2.3:a:adobe:acrobat:*:*:*:*:classic:*:*:*

OR	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

No data.

Vendor Product Confidence Versions

Adobe

Acrobat Reader

100%

Version	Status	Scheme	Platform
`[0,25.001.21265]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Adobe Acrobat Reader to the latest version published by Adobe.
Enable automatic updates or verify that the applied patch corresponds to the latest release noted in Adobe’s Advisory (APSB26‑26).
Avoid opening PDF files from untrusted or unknown sources until the reader is updated.

Generated by OpenCVE AI on April 16, 2026 at 03:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00039.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://helpx.adobe.com/security/products/acrobat/apsb26-26.html

History

Wed, 11 Mar 2026 18:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Adobe acrobat Adobe acrobat Dc Adobe acrobat Reader Dc Apple Apple macos Microsoft Microsoft windows
CPEs		cpe:2.3:a:adobe:acrobat:::::classic:::* cpe:2.3:a:adobe:acrobat_dc:::::continuous:::* cpe:2.3:a:adobe:acrobat_reader_dc:::::continuous:::* cpe:2.3:o:apple:macos:-:::::::* cpe:2.3:o:microsoft:windows:-:::::::*
Vendors & Products		Adobe acrobat Adobe acrobat Dc Adobe acrobat Reader Dc Apple Apple macos Microsoft Microsoft windows

Wed, 11 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 11 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Adobe Adobe acrobat Reader
Vendors & Products		Adobe Adobe acrobat Reader

Tue, 10 Mar 2026 22:00:00 +0000

Type	Values Removed	Values Added
Description		Acrobat Reader versions 24.001.30307, 24.001.30308, 25.001.21265 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title		Acrobat Reader \| Use After Free (CWE-416)
Weaknesses		CWE-416
References		https://helpx.adobe.com/security/products/acrobat/apsb26-26.html
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}`

Subscriptions

Adobe Acrobat Acrobat Dc Acrobat Reader Acrobat Reader Dc

Apple Macos

Microsoft Windows

MITRE

Status: PUBLISHED

Assigner: adobe

Published: 2026-03-10T21:41:34.910Z

Updated: 2026-03-11T13:08:16.071Z

Reserved: 2026-02-18T22:02:41.380Z

Link: CVE-2026-27220

Vulnrichment

Updated: 2026-03-11T13:02:05.559Z

NVD

Status : Analyzed

Published: 2026-03-10T22:16:17.927

Modified: 2026-03-11T18:15:09.303

Link: CVE-2026-27220

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T03:15:22Z

Weaknesses

CWE-416

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object