How is CVE-2026-47913 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network-facing service is involved. Authentication (not-required): No account or credential is required to trigger the vulnerability; any unprivileged local context is sufficient. Victim interaction (required): A victim must open a malicious file, making social engineering (email attachment, download link, shared document) the primary delivery vector. Attack complexity (info): The exploit is reliable and condition-free once the victim opens the file; no race conditions or special memory-layout requirements apply.

What is the impact of CVE-2026-47913?

Executes arbitrary code as the currently logged-in user, giving the attacker the same file-system and process permissions that user holds. Reads any files the user can access, including stored credentials, session tokens, and personal or corporate documents. Writes or modifies files owned by the user, enabling persistence mechanisms such as dropped binaries or altered configuration files. Crashes or destabilizes Acrobat Reader and any dependent workflows, disrupting document processing for the affected user session.

Back to search

HIGHCVE-2026-47913Published 2026-06-09Modified 2026-06-10CNA adobe

CVE-2026-47913: Acrobat Reader | Use After Free (CWE-416)

Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability affects Adobe Acrobat Reader versions 26.001.21651 and earlier (including 24.001.30365 and earlier in the 24.x line). The flaw is triggered locally when a user opens a maliciously crafted file, requiring no network exposure and no authenticated account, only a victim who opens the file. Successful exploitation gives the attacker arbitrary code execution running as the current user, enabling full read, write, and control of anything that user can access. No fix version has been published yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as Adobe ships an upstream fix.

HarborGuard Coverage

Detection

Detection of CVE-2026-47913 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and build pipelines, including custom-built images that bundle Acrobat Reader or its libraries.

Available

Triage

Triage is available with a CVSS v3.1 score of 7.8 (HIGH), weighted against each customer organization's per-environment compliance policy; findings are routed automatically to the team inbox configured for that policy tier.

Available

Patch

Because no fix version has been published, HarborGuard re-checks the Adobe advisory on every ingest cycle; the moment an upstream patch is released, a patched-image rebuild at that version becomes available, and customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads automatically.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network-facing service is involved.
AuthenticationNot required
No account or credential is required to trigger the vulnerability; any unprivileged local context is sufficient.
Victim interactionRequired
A victim must open a malicious file, making social engineering (email attachment, download link, shared document) the primary delivery vector.
Attack complexityDetail
The exploit is reliable and condition-free once the victim opens the file; no race conditions or special memory-layout requirements apply.

Blast Radius

Executes arbitrary code as the currently logged-in user, giving the attacker the same file-system and process permissions that user holds.
Reads any files the user can access, including stored credentials, session tokens, and personal or corporate documents.
Writes or modifies files owned by the user, enabling persistence mechanisms such as dropped binaries or altered configuration files.
Crashes or destabilizes Acrobat Reader and any dependent workflows, disrupting document processing for the affected user session.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-47913 is matched against all images in customer registries and pipelines within minutes of ingestion. Because Adobe has not yet published a fix, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available immediately when upstream ships a corrected version. For customers with auto-remediation enabled, that rebuild will be followed by a regression-test run and a PR opened against affected workloads automatically. In the interim, compensating controls available through HarborGuard policy include network-policy isolation of workloads that render PDFs, egress filtering to limit lateral movement if a host is compromised, and flagging any image that bundles an affected Acrobat Reader version so that deployment can be gated on compliance review.

See how HarborGuard automates this

Affected packages

Adobe / Acrobat Reader
≤ 26.001.21651

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

helpx.adobe.com

Metrics

Get notified