Description
Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-06-09
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Adobe Acrobat Reader contains a use‑after‑free flaw that allows a crafted PDF to trigger a memory access to freed memory, enabling the attacker to execute arbitrary code in the context of the opening user. This vulnerability, defined as CWE‑416, can compromise the confidentiality, integrity, or availability of the user’s device. The flaw is specifically tied to the handling of PDF content and does not provide an attacker with elevated privileges beyond the current user context.

Affected Systems

The vulnerability affects Adobe Acrobat Reader versions 24.001.30365, 26.001.21651, and all earlier releases of these major versions. Any installation of Adobe Acrobat Reader built on those product lines is potentially vulnerable.

Risk and Exploitability

The CVSS score of 7.8 places this issue in the High severity range, reflecting the potential for arbitrary code execution. Because the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, the likelihood of widespread exploitation is currently unknown, but the requirement that a user open a malicious PDF makes it a user interaction scenario. Attackers could craft a PDF that, when opened by a target, triggers the use‑after‑free condition and runs arbitrary code with the user’s privileges.

Generated by OpenCVE AI on June 9, 2026 at 21:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Adobe Acrobat Reader to the latest security release, which removes the use‑after‑free bug.
  • Enable Protected Mode or sandboxing in Acrobat Reader settings to restrict the execution environment for PDFs.
  • Instruct users to only open PDF documents from trusted sources and scan attachments with up‑to‑date antivirus before viewing.

Generated by OpenCVE AI on June 9, 2026 at 21:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe acrobat Reader
Vendors & Products Adobe
Adobe acrobat Reader

Tue, 09 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Acrobat Reader | Use After Free (CWE-416)
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Adobe Acrobat Reader
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-09T20:01:22.949Z

Reserved: 2026-05-20T15:50:31.360Z

Link: CVE-2026-47916

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-09T21:17:21.477

Modified: 2026-06-09T21:17:21.477

Link: CVE-2026-47916

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T00:45:17Z

Weaknesses