EUVD-2026-35812
GHSA-xhqq-g9f7-p2wv
Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Articles & Coverage 1
AnalysisAI
Arbitrary code execution in Adobe Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier stems from a Use After Free condition (CWE-416) that triggers when a victim opens a malicious PDF, yielding execution in the context of the current user. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the file-opening attack pattern is a perennial favorite in phishing and document-borne campaigns targeting Acrobat. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Victim must open a malicious PDF file in a vulnerable Adobe Acrobat Reader build at or below 24.001.30365 (24.x track) or 26.001.21651 (26.x track); no authentication or prior access to the target machine is required of the attacker, only successful social-engineering delivery of the document. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 7.8 reflects the classic client-side document-handler profile: local attack vector (AV:L), low complexity, no privileges required, but user interaction required (UI:R) to open the file, with high impact across CIA. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker emails a finance or HR target a lure PDF disguised as an invoice, resume, or contract; when the user opens it in a vulnerable Acrobat Reader build, crafted objects (often via embedded JavaScript or malformed structures) free and then reuse a heap object, hijacking control flow to attacker shellcode. The payload runs as the logged-in user, providing initial access for credential theft, loader staging, or lateral movement. … |
| Remediation | Apply the vendor-released patch by updating Acrobat Reader to the fixed builds published in Adobe security bulletin APSB26-63 (https://helpx.adobe.com/security/products/acrobat/apsb26-63.html); the advisory enumerates the specific post-24.001.30365 and post-26.001.21651 versions per track. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory all Acrobat Reader deployments and identify instances of versions 26.001.21651 and earlier in use. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Remote code execution in Adobe Campaign Classic (ACC) version 7.4.3 build 9394 and earlier allows unauthenticated networ
Server-side request forgery in Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier escalates to arbitrary
Unauthenticated arbitrary file upload in Amasty Order Attributes for Magento 2 before 4.0.0 lets remote attackers drop a
Arbitrary code execution in Adobe Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier occurs via an uncontrol
Arbitrary code execution in Adobe Acrobat Reader 24.001.30365, 26.001.21651, and earlier versions occurs through a use-a
Share
External POC / Exploit Code
Leaving vuln.today