How is CVE-2026-47912 exploited?

Network reachability (not-required): The attacker does not need network access to the target; exploitation relies on the victim opening a malicious file on their local machine. Authentication (not-required): No account or credentials on the target system are required to deliver the malicious file; the attack is carried through a crafted document. Victim interaction (required): The victim must actively open a malicious file, meaning the attacker must convince the user to do so through phishing, download, or another social-engineering method. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

What is the impact of CVE-2026-47912?

Reads any files and data accessible to the current user account, including stored credentials, documents, and session tokens. Modifies or overwrites files within the current user's permissions scope, including application data and configuration files. Executes arbitrary code as the current user, enabling installation of malware, backdoors, or further lateral-movement tooling. Crashes or destabilizes the Acrobat Reader process, causing loss of unsaved work and potential disruption to dependent workflows.

Back to search

HIGHCVE-2026-47912Published 2026-06-09Modified 2026-06-10CNA adobe

CVE-2026-47912: Acrobat Reader | Use After Free (CWE-416)

Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Use-after-free vulnerability in Adobe Acrobat Reader (versions 26.001.21651 and earlier) allows an attacker to achieve arbitrary code execution in the context of the logged-in user. The attack is local in delivery but requires a victim to open a malicious file, making it a social-engineering vector rather than a remotely exploitable network service. Successful exploitation gives the attacker full read, write, and execution capabilities within the current user session. No fix version has been published yet; HarborGuard is tracking the advisory and will surface a patched rebuild the moment Adobe releases one.

HarborGuard Coverage

Detection

Detection for CVE-2026-47912 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including any custom-built images that bundle Acrobat Reader. Coverage spans both registry scans and CI/CD pipeline checks so affected image layers are flagged before deployment.

Available

Triage

HarborGuard scores this CVE at 7.8 HIGH (CVSS v3.1) and is capable of weighting that score against each customer environment's compliance policy to raise or lower effective priority. Triage results are routed to the appropriate team inbox within each customer organization based on policy-defined ownership rules.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the Adobe advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. In the meantime, customers with auto-remediation enabled will receive an alert with compensating-control recommendations as soon as the rebuild becomes available and can have a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker does not need network access to the target; exploitation relies on the victim opening a malicious file on their local machine.
AuthenticationNot required
No account or credentials on the target system are required to deliver the malicious file; the attack is carried through a crafted document.
Victim interactionRequired
The victim must actively open a malicious file, meaning the attacker must convince the user to do so through phishing, download, or another social-engineering method.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

Reads any files and data accessible to the current user account, including stored credentials, documents, and session tokens.
Modifies or overwrites files within the current user's permissions scope, including application data and configuration files.
Executes arbitrary code as the current user, enabling installation of malware, backdoors, or further lateral-movement tooling.
Crashes or destabilizes the Acrobat Reader process, causing loss of unsaved work and potential disruption to dependent workflows.

How HarborGuard Handles This

Available on HarborGuard: automated advisory monitoring for CVE-2026-47912 is active, with the CVE matched against images containing affected Acrobat Reader versions on every ingest cycle. Because Adobe has not yet published a fix, no patched-image rebuild is available at this time. HarborGuard will generate a rebuilt image and, for customers who opt into auto-remediation, open a PR against affected workloads the moment an upstream fix is published. While no patch exists, compensating controls worth considering include restricting deployment of images that bundle Acrobat Reader to environments where PDF rendering is strictly necessary, applying network-policy isolation to limit what a compromised user session can reach, and using file-origin controls or allowlisting policies to reduce the likelihood of a user opening an untrusted document. HarborGuard will surface a rebuild notification and updated triage routing automatically once the advisory status changes.

See how HarborGuard automates this

Affected packages

Adobe / Acrobat Reader
≤ 26.001.21651

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

helpx.adobe.com

Metrics

Get notified