How is CVE-2026-47917 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network-facing service is involved in triggering this vulnerability. Authentication (not-required): No account or credentials on the target system are required; the attacker delivers the malicious file through other means such as email or a download. Victim interaction (required): The victim must open a malicious file, making this a social-engineering vector where the attacker must convince the user to open a crafted document. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

What is the impact of CVE-2026-47917?

Executes arbitrary code in the context of the logged-in user, giving the attacker full control over any process they spawn under that account. Reads files, credentials, session tokens, and any other data accessible to the current user on the host. Writes or modifies files on the filesystem, including application binaries, configuration files, and user documents. Crashes or terminates the Acrobat Reader process, disrupting document-processing workflows that depend on it.

Back to search

HIGHCVE-2026-47917Published 2026-06-09Modified 2026-06-10CNA adobe

CVE-2026-47917: Acrobat Reader | Use After Free (CWE-416)

Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Use-after-free vulnerability in Adobe Acrobat Reader (versions 26.001.21651 and earlier, including 24.001.30365 and earlier) allows an attacker to execute arbitrary code on the victim's machine. The vulnerability is triggered locally when a user opens a specially crafted file, requiring no network access or authentication but depending on the victim opening the malicious document. Successful exploitation gives the attacker full code execution in the context of the current user, enabling arbitrary reads, writes, and program execution under that account. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as Adobe publishes a fix.

HarborGuard Coverage

Detection

Detection of CVE-2026-47917 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including internally built and customized images that bundle Acrobat Reader or its libraries.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 7.8 HIGH and weighting it against each environment's compliance policy to surface priority accurately. Triage routing is available to direct findings to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no fix version has been published by Adobe, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. In the interim, HarborGuard surfaces the open finding continuously so it remains visible and actionable within each customer environment.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network-facing service is involved in triggering this vulnerability.
AuthenticationNot required
No account or credentials on the target system are required; the attacker delivers the malicious file through other means such as email or a download.
Victim interactionRequired
The victim must open a malicious file, making this a social-engineering vector where the attacker must convince the user to open a crafted document.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

Executes arbitrary code in the context of the logged-in user, giving the attacker full control over any process they spawn under that account.
Reads files, credentials, session tokens, and any other data accessible to the current user on the host.
Writes or modifies files on the filesystem, including application binaries, configuration files, and user documents.
Crashes or terminates the Acrobat Reader process, disrupting document-processing workflows that depend on it.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively tracked with no fix version yet published by Adobe. HarborGuard re-evaluates the advisory on every ingest cycle so the finding remains current in each customer environment's scan results. Where compliance policies support compensating controls, HarborGuard can surface policy-based recommendations such as network-policy isolation for systems running Acrobat Reader, egress filtering to limit outbound connections from affected hosts, and disabling automatic file-open behaviors through feature-flag or configuration gating. For customers with auto-remediation enabled, a patched-image rebuild, regression-test run, and PR opened against affected workloads will become available automatically the moment Adobe publishes a fix version, with no manual intervention required.

See how HarborGuard automates this

Affected packages

Adobe / Acrobat Reader
≤ 26.001.21651

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

helpx.adobe.com

Metrics

Get notified