EUVD-2026-35824
GHSA-349x-cfmq-2m5w
Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Articles & Coverage 1
AnalysisAI
Arbitrary code execution in Adobe Acrobat Reader (versions 24.001.30365, 26.001.21651, and earlier) is triggered when a user opens a malicious PDF, exploiting a Use-After-Free memory corruption flaw to run code as the current user. No public exploit identified at time of analysis, and EPSS data was not provided, but the high CVSS of 7.8 combined with Reader's massive install base makes this a routine patch priority. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Victim must open a malicious PDF in a vulnerable Acrobat Reader build (24.001.30365, 26.001.21651, or earlier) - this is the explicit prerequisite from the description and is reflected in CVSS UI:R. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H reflects a client-side, user-interaction-required local attack vector (the malicious file must be opened) with no privileges required and full CIA impact - characteristic of a document-borne RCE rather than a network-exposed service flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker emails or hosts a weaponized PDF that, when opened in a vulnerable Reader build, manipulates object lifetimes to trigger the Use-After-Free; the freed heap chunk is groomed and reclaimed with attacker-controlled data, hijacking control flow to execute shellcode in the user's security context. Typical follow-on is loader execution that drops a commodity infostealer or RAT, surviving via standard user-level persistence. … |
| Remediation | Apply the Adobe security update referenced in advisory APSB26-63 (https://helpx.adobe.com/security/products/acrobat/apsb26-63.html) to upgrade Acrobat Reader past the affected 24.001.30365 / 26.001.21651 builds - Patch available per vendor advisory; consult the bulletin for the exact fixed version per track. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Issue security alert prohibiting users from opening PDFs from untrusted sources; inventory current Reader deployment versions and update patch management tracking. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Arbitrary code execution in Adobe Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier occurs via an uncontrol
Arbitrary code execution in Adobe Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier results from a use-afte
Arbitrary code execution in Adobe Acrobat Reader (versions 24.001.30365, 26.001.21651, and earlier) occurs when a victim
Arbitrary code execution in Adobe Acrobat Reader (versions 24.001.30365, 26.001.21651 and earlier) is possible when a vi
Arbitrary code execution in Adobe Acrobat Reader (versions 24.001.30365, 26.001.21651, and earlier) is possible when a v
Share
External POC / Exploit Code
Leaving vuln.today