How is CVE-2026-47914 exploited?

Network reachability (not-required): The attacker does not need network access to the target; they need an existing shell or process on the host, or deliver a malicious file through another channel such as email or download. Authentication (not-required): No account or credentials on the target system are required to carry out the attack. Victim interaction (required): The victim must open a malicious file (for example, a crafted PDF), making this a social-engineering-dependent exploit. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other hard-to-control environmental factors.

What is the impact of CVE-2026-47914?

Reads any files or secrets accessible to the current user, including stored credentials, session tokens, and personal documents. Modifies or deletes files owned by the current user, including application data and configuration files. Executes arbitrary code in the user context, enabling installation of malware or lateral movement tooling on the host. Crashes or destabilizes Acrobat Reader and any dependent processes running under the same user account.

Back to search

HIGHCVE-2026-47914Published 2026-06-09Modified 2026-06-10CNA adobe

CVE-2026-47914: Acrobat Reader | Use After Free (CWE-416)

Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Use After Free vulnerability in Adobe Acrobat Reader (versions 26.001.21651 and earlier, including 24.001.30365 and earlier) allows an attacker to execute arbitrary code on a target machine. The exploit is local in delivery, requires no prior authentication, but depends on a victim opening a malicious file. Successful exploitation gives the attacker full code execution in the context of the logged-in user, enabling complete compromise of confidentiality, integrity, and availability. No upstream fix has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment Adobe ships a fix.

HarborGuard Coverage

Detection

Detection for CVE-2026-47914 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built images that bundle Acrobat Reader. Coverage applies to both registry scans and images evaluated mid-pipeline at build time.

Available

Triage

HarborGuard scores this CVE at CVSS 7.8 HIGH and surfaces it accordingly in each customer environment, weighted against that environment's compliance policy to prioritize routing. Findings are directed to the appropriate team inbox within each customer org based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Adobe releases a remediated version. For customers with auto-remediation enabled, that rebuild will trigger a regression run and a PR opened against affected workloads without requiring manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker does not need network access to the target; they need an existing shell or process on the host, or deliver a malicious file through another channel such as email or download.
AuthenticationNot required
No account or credentials on the target system are required to carry out the attack.
Victim interactionRequired
The victim must open a malicious file (for example, a crafted PDF), making this a social-engineering-dependent exploit.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other hard-to-control environmental factors.

Blast Radius

Reads any files or secrets accessible to the current user, including stored credentials, session tokens, and personal documents.
Modifies or deletes files owned by the current user, including application data and configuration files.
Executes arbitrary code in the user context, enabling installation of malware or lateral movement tooling on the host.
Crashes or destabilizes Acrobat Reader and any dependent processes running under the same user account.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-47914 is active now, matching all images in customer registries and pipelines that bundle an affected version of Acrobat Reader (26.001.21651 and earlier). Because Adobe has not yet published a fix, no patched rebuild is available at this time. HarborGuard re-evaluates the advisory on every ingest cycle; for customers with auto-remediation enabled, a patched rebuild, regression run, and PR against affected workloads will be triggered automatically as soon as an upstream fix is released. In the interim, compensating controls worth considering include network-policy isolation for hosts where Acrobat Reader is deployed, egress filtering to limit post-exploitation reach, and where operationally feasible, substituting an unaffected PDF viewer or disabling Acrobat Reader in high-risk environments via feature-flag or policy controls.

See how HarborGuard automates this

Affected packages

Adobe / Acrobat Reader
≤ 26.001.21651

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

helpx.adobe.com

Metrics

Get notified