Description
Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-06-09
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a Use After Free flaw in Adobe Acrobat Reader that allows an attacker to gain arbitrary code execution in the context of the current user. The fault arises when memory that has already been freed is accessed again, enabling manipulation of program flow and the execution of attacker‑supplied code. No additional exploitation steps are disclosed beyond the exploitation of the memory corruption.

Affected Systems

Adobe Acrobat Reader versions 24.001.30365, 26.001.21651, and all earlier releases are affected. The vulnerability applies to all platforms that run these binaries, including Windows, macOS, and Linux distributions that ship the standard reader.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Attack requires user interaction: a victim must open a crafted PDF file. If the user interacts with such a file, the attacker could execute code with the user's privileges. The flaw is publicly known and can potentially be exploited using readily available PDF generators without requiring additional credentials.

Generated by OpenCVE AI on June 9, 2026 at 21:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Adobe Acrobat Reader to the latest available version, which contains the fix for the use‑after‑free flaw
  • Disable or restrict Acrobat Reader’s JavaScript engine to prevent execution of embedded scripts that could trigger the vulnerability
  • Educate users to avoid opening PDF files from untrusted or unknown sources

Generated by OpenCVE AI on June 9, 2026 at 21:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe acrobat Reader
Vendors & Products Adobe
Adobe acrobat Reader

Tue, 09 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Acrobat Reader | Use After Free (CWE-416)
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Adobe Acrobat Reader
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-09T20:01:14.406Z

Reserved: 2026-05-20T15:50:31.360Z

Link: CVE-2026-47921

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-09T21:17:22.087

Modified: 2026-06-09T21:17:22.087

Link: CVE-2026-47921

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T01:15:18Z

Weaknesses