How is CVE-2026-47918 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network-facing exposure is required to trigger this vulnerability. Authentication (not-required): No account or credentials are needed on the target system before the exploit can be attempted. Victim interaction (required): A victim must be socially engineered into opening a maliciously crafted file, such as a PDF delivered via email or download. Attack complexity (info): The exploit is reliable and condition-free once the victim opens the file; no race conditions or special memory-layout requirements apply.

What is the impact of CVE-2026-47918?

The attacker executes arbitrary code under the victim user's account, gaining full access to everything that account can do on the host. Confidential files readable by the victim user (documents, credentials, session tokens stored on disk) are exposed to the attacker. The attacker can write or modify files owned by the victim user, including application data, configuration files, and persisted state. The attacker can crash or destabilize Acrobat Reader and any dependent processes running under the same user context.

Back to search

HIGHCVE-2026-47918Published 2026-06-09Modified 2026-06-10CNA adobe

CVE-2026-47918: Acrobat Reader | Use After Free (CWE-416)

Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Use After Free vulnerability in Adobe Acrobat Reader (versions 26.001.21651 and earlier) allows an attacker to execute arbitrary code in the context of the current user. The attack is local in nature and requires no prior authentication, but relies on a victim opening a malicious file. Successful exploitation gives the attacker full code execution capabilities under the victim's user account. No upstream fix has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as Adobe ships a fix.

HarborGuard Coverage

Detection

Detection for CVE-2026-47918 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Acrobat Reader components. Any image found to carry an affected version is flagged immediately in the customer's pipeline view.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 7.8 HIGH and weighting it against each environment's compliance policy to determine urgency. Routed findings land in the appropriate team inbox within the customer org so the right engineers see the alert without manual triage overhead.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-evaluates this advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment Adobe releases a remediated version. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be initiated without any manual intervention required.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network-facing exposure is required to trigger this vulnerability.
AuthenticationNot required
No account or credentials are needed on the target system before the exploit can be attempted.
Victim interactionRequired
A victim must be socially engineered into opening a maliciously crafted file, such as a PDF delivered via email or download.
Attack complexityDetail
The exploit is reliable and condition-free once the victim opens the file; no race conditions or special memory-layout requirements apply.

Blast Radius

The attacker executes arbitrary code under the victim user's account, gaining full access to everything that account can do on the host.
Confidential files readable by the victim user (documents, credentials, session tokens stored on disk) are exposed to the attacker.
The attacker can write or modify files owned by the victim user, including application data, configuration files, and persisted state.
The attacker can crash or destabilize Acrobat Reader and any dependent processes running under the same user context.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-47918 is active across all connected registries and build pipelines, flagging any image that bundles an affected Acrobat Reader version. Because Adobe has not yet published a fix, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, that means a rebuilt image, a regression-test run, and a PR opened against affected workloads will be triggered without manual steps. In the interim, compensating controls worth considering include restricting container workloads that embed Acrobat Reader from processing untrusted user-supplied files, applying network-policy isolation to limit what a compromised user context can reach, and using feature-flag gating to disable file-open functionality in environments where it is not strictly required. HarborGuard will surface the fix-version signal as soon as it is available in the upstream advisory data.

See how HarborGuard automates this

Affected packages

Adobe / Acrobat Reader
≤ 26.001.21651

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

helpx.adobe.com

Metrics

Get notified