How is CVE-2026-47915 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no over-the-network access to the service is required. Authentication (not-required): No account or credentials are needed to exploit this vulnerability; the attacker delivers the malicious file without authenticating to any service. Victim interaction (required): A victim must open a malicious file (for example, a crafted PDF) for the use-after-free to be triggered, making this a social-engineering-dependent attack. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no specific race conditions, memory layout dependencies, or other environmental factors beyond victim file-open.

What is the impact of CVE-2026-47915?

Executes arbitrary code in the context of the logged-in user, giving the attacker the same file-system and process permissions as that user. Reads files accessible to the current user, including documents, credentials stored on disk, and browser session data. Writes or modifies files owned by the current user, enabling persistence mechanisms such as dropped binaries or modified startup scripts. Crashes or destabilizes the Acrobat Reader process, disrupting document workflows dependent on it.

Back to search

HIGHCVE-2026-47915Published 2026-06-09Modified 2026-06-10CNA adobe

CVE-2026-47915: Acrobat Reader | Use After Free (CWE-416)

Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Use-after-free vulnerability in Adobe Acrobat Reader (versions 26.001.21651 and earlier, including 24.001.30365 and earlier) allows an attacker to execute arbitrary code on the victim's machine. The exploit is local-vector, requiring no authentication, but the victim must open a malicious file such as a crafted PDF. Successful exploitation gives the attacker full code execution in the context of the current user, enabling data theft, file modification, or further system compromise. No fix version has been published yet; HarborGuard tracks the advisory and will surface a patched-image rebuild the moment upstream ships a fix.

HarborGuard Coverage

Detection

Detection of CVE-2026-47915 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Acrobat Reader or its libraries.

Available

Triage

Triage is available with the CVSS v3.1 base score of 7.8 (HIGH) applied automatically; per-environment compliance policy weighting can escalate or suppress the finding, and routing rules direct the alert to the appropriate team inbox within each customer organization.

Available

Patch

Because no fix version has been published, HarborGuard re-checks the upstream Adobe advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is released. In the interim, customers can apply compensating controls through HarborGuard network policy recommendations to reduce exposure of affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no over-the-network access to the service is required.
AuthenticationNot required
No account or credentials are needed to exploit this vulnerability; the attacker delivers the malicious file without authenticating to any service.
Victim interactionRequired
A victim must open a malicious file (for example, a crafted PDF) for the use-after-free to be triggered, making this a social-engineering-dependent attack.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no specific race conditions, memory layout dependencies, or other environmental factors beyond victim file-open.

Blast Radius

Executes arbitrary code in the context of the logged-in user, giving the attacker the same file-system and process permissions as that user.
Reads files accessible to the current user, including documents, credentials stored on disk, and browser session data.
Writes or modifies files owned by the current user, enabling persistence mechanisms such as dropped binaries or modified startup scripts.
Crashes or destabilizes the Acrobat Reader process, disrupting document workflows dependent on it.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-47915 is flagged at HIGH severity (CVSS 7.8) in any scanned image containing an affected version of Acrobat Reader (26.001.21651 or earlier). Because Adobe has not yet published a fix, HarborGuard monitors the advisory on every ingest cycle and will automatically make a patched-image rebuild available as soon as an upstream fix is released; for customers with auto-remediation enabled, that triggers a rebuild, a regression-test run, and a PR opened against affected workloads. While no patch exists, compensating controls available through HarborGuard include network-policy isolation to limit the environments where affected images are deployed, egress filtering to constrain what a compromised process can reach, and feature-flag gating to disable deployment of the affected image in production pipelines until a fix is confirmed.

See how HarborGuard automates this

Affected packages

Adobe / Acrobat Reader
≤ 26.001.21651

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

helpx.adobe.com

Metrics

Get notified