How is CVE-2026-47916 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host, or the ability to deliver a malicious file locally; no over-the-network service exposure is required. Authentication (not-required): No account or credentials are required to stage the attack; the attacker only needs to get the victim to open a crafted file. Victim interaction (required): A victim must actively open a malicious file, making social engineering (for example, a phishing email with an attached PDF) the primary delivery vector. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors.

What is the impact of CVE-2026-47916?

Reads files and data accessible to the current user, including stored documents, credentials cached on disk, and browser profile data. Modifies or deletes files within the current user's permission scope, including application data and configuration files. Executes arbitrary processes as the current user, enabling installation of malware, creation of persistence mechanisms, or lateral movement within the host. Crashes or destabilizes the Acrobat Reader process, causing loss of any unsaved work open at the time of exploitation.

Back to search

HIGHCVE-2026-47916Published 2026-06-09Modified 2026-06-10CNA adobe

CVE-2026-47916: Acrobat Reader | Use After Free (CWE-416)

Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Use-after-free vulnerability in Adobe Acrobat Reader (versions 26.001.21651 and earlier, including 24.001.30365 and earlier) allows an attacker to execute arbitrary code in the context of the logged-in user. The attack is local in delivery, requires no authentication, but depends on a victim opening a specially crafted malicious file. Successful exploitation gives the attacker full code execution, enabling data theft, file tampering, or further compromise of the host. No upstream fix has been published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Acrobat Reader components. Any image containing an affected version is flagged immediately upon ingestion.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 7.8 (High) and weighting it further against each customer environment's compliance policy. Routed alerts are directed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the Adobe advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is released. For customers who opt into auto-remediation, a rebuilt image, regression-test run, and a pull request against affected workloads will be triggered automatically as soon as an upstream patch version is confirmed.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host, or the ability to deliver a malicious file locally; no over-the-network service exposure is required.
AuthenticationNot required
No account or credentials are required to stage the attack; the attacker only needs to get the victim to open a crafted file.
Victim interactionRequired
A victim must actively open a malicious file, making social engineering (for example, a phishing email with an attached PDF) the primary delivery vector.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors.

Blast Radius

Reads files and data accessible to the current user, including stored documents, credentials cached on disk, and browser profile data.
Modifies or deletes files within the current user's permission scope, including application data and configuration files.
Executes arbitrary processes as the current user, enabling installation of malware, creation of persistence mechanisms, or lateral movement within the host.
Crashes or destabilizes the Acrobat Reader process, causing loss of any unsaved work open at the time of exploitation.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively monitored on every ingest cycle because no upstream fix exists. In the meantime, customers can apply compensating controls through HarborGuard's policy engine, including network-policy isolation for workloads that distribute or process PDF files, egress filtering to limit outbound connections from affected containers, and feature-flag gating to disable Acrobat Reader invocation in automated pipelines. As soon as Adobe publishes a patched version, HarborGuard will make a rebuilt image available at that version. For customers with auto-remediation enabled, the pipeline will trigger a rebuild, run regression tests, and open a pull request against affected workloads automatically, with a median time from CVE patch publication to merged PR of around 90 minutes for High-severity issues.

See how HarborGuard automates this

Affected packages

Adobe / Acrobat Reader
≤ 26.001.21651

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

helpx.adobe.com

Metrics

Get notified