EUVD-2025-17827
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
Acrobat Reader versions 24.001.30235, 20.005.30763, 25.001.20521 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Analysis
Use After Free (UAF) vulnerability in Adobe Acrobat Reader that allows arbitrary code execution with the privileges of the current user. Affected versions include 24.001.30235, 20.005.30763, 25.001.20521 and earlier across multiple release tracks. Exploitation requires user interaction (opening a malicious PDF file), but the high CVSS score of 7.8 and local attack vector indicate significant real-world risk; KEV and active exploitation status should be confirmed from official sources.
Technical Context
This vulnerability is classified as CWE-416 (Use After Free), a memory safety issue where the application continues to reference memory that has been freed by the program. In Adobe Acrobat Reader's PDF parsing engine, this likely occurs during the processing of maliciously crafted PDF objects or embedded content (JavaScript, media, form fields). The UAF condition allows an attacker to overwrite freed memory with controlled data, achieving arbitrary code execution in the context of the Reader process. Affected CPE ranges include Adobe Acrobat Reader DC and continuous release tracks (versions 24.x, 25.x, and legacy 20.x branches), suggesting the vulnerability spans multiple code paths across different maintenance versions and may involve shared PDF processing libraries.
Affected Products
Adobe Acrobat Reader: Version 24.001.30235 and earlier (2024 continuous release track); Version 25.001.20521 and earlier (2025 continuous release track); Version 20.005.30763 and earlier (classic 2020 track). The specific CPE identifiers would be: cpe:2.3:a:adobe:acrobat_reader:*:*:*:*:*:*:*:* with version constraints <=24.001.30235, <=25.001.20521, and <=20.005.30763 respectively. Note: Adobe's continuous release model means 24.x and 25.x are actively maintained branches; 20.x represents legacy support. Users on any of these three version tracks are affected. Vendor advisory and patch availability should be confirmed via Adobe's official security bulletins (typically published at adobe.com/security).
Remediation
Immediate actions: (1) Update Adobe Acrobat Reader to versions NEWER than 24.001.30235 (likely 24.002.x or later), newer than 25.001.20521 (likely 25.002.x or later), or newer than 20.005.30763 (if applicable). Check Adobe's official security update page for specific patch versions released after this CVE announcement. (2) Enable automatic updates in Acrobat Reader preferences (Edit > Preferences > Security > Check for Updates). (3) Interim mitigations if immediate patching is not feasible: disable JavaScript execution in PDF files (Edit > Preferences > Security > Enhanced Security), restrict file associations for PDF files to prevent automatic opening, and implement email filtering to block suspicious PDF attachments. (4) User education: advise users to be cautious opening PDF files from untrusted sources, especially unexpected email attachments. (5) Endpoint detection: deploy behavioral monitoring for abnormal process execution spawned from Reader processes (parent: AdobeReader.exe/acroread).
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today