How is CVE-2026-47919 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network-facing service is required to deliver the exploit. Authentication (not-required): No account or credentials are needed on the target system before exploitation begins. Victim interaction (required): The victim must open a malicious file, making social engineering or file delivery a necessary step for the attacker. Attack complexity (info): Exploit reliability is high and no special environmental conditions, race conditions, or memory-layout dependencies are required.

What is the impact of CVE-2026-47919?

A successful attacker executes arbitrary code with the full privileges of the logged-in user, gaining direct control over that user's session. Confidential files, stored credentials, and documents accessible to the user can be read and exfiltrated. Any files or data the user has write access to can be modified or deleted. The user's running processes and applications can be disrupted or hijacked to support further lateral movement.

Back to search

HIGHCVE-2026-47919Published 2026-06-09Modified 2026-06-10CNA adobe

CVE-2026-47919: Acrobat Reader | Use After Free (CWE-416)

Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Use-after-free vulnerability in Adobe Acrobat Reader (versions up to and including 26.001.21651) allows an attacker to achieve arbitrary code execution in the context of the logged-in user. The attack is local in delivery and requires no prior authentication, but does require the victim to open a specially crafted malicious file. Successful exploitation gives the attacker full code execution rights within the user's session, enabling data theft, file tampering, or further system compromise. No upstream fix has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as Adobe releases one.

HarborGuard Coverage

Detection

Detection for CVE-2026-47919 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built images that bundle Acrobat Reader. Any image containing an affected version of Acrobat Reader at or below 26.001.21651 is flagged automatically.

Available

Triage

Triage is available with a CVSS v3.1 base score of 7.8 (HIGH), weighted further by each customer environment's compliance policy to determine urgency and routing. Findings are routed to the appropriate team inbox within each customer organization based on configured policy rules.

Available

Patch

Because no upstream fix version has been published for this CVE, HarborGuard re-checks the Adobe advisory on every ingest cycle and will make a patched-image rebuild available the moment Adobe releases a corrected version. In the meantime, customers can apply compensating controls through HarborGuard's policy engine to flag or block deployment of images containing affected Acrobat Reader versions.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network-facing service is required to deliver the exploit.
AuthenticationNot required
No account or credentials are needed on the target system before exploitation begins.
Victim interactionRequired
The victim must open a malicious file, making social engineering or file delivery a necessary step for the attacker.
Attack complexityDetail
Exploit reliability is high and no special environmental conditions, race conditions, or memory-layout dependencies are required.

Blast Radius

A successful attacker executes arbitrary code with the full privileges of the logged-in user, gaining direct control over that user's session.
Confidential files, stored credentials, and documents accessible to the user can be read and exfiltrated.
Any files or data the user has write access to can be modified or deleted.
The user's running processes and applications can be disrupted or hijacked to support further lateral movement.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-47919 is active across all scanning environments, flagging any image that contains Acrobat Reader at or below version 26.001.21651. Because Adobe has not yet published a fix, HarborGuard monitors the advisory on every ingest cycle and will automatically queue a patched-image rebuild the moment an upstream fix is released. For customers with auto-remediation enabled, that rebuild will be followed by a regression-test run and a PR opened against affected workloads, with no manual intervention required. While no patch is available, recommended compensating controls include network-policy isolation to restrict outbound access from hosts running Acrobat Reader, egress filtering to limit exfiltration paths, and application-allowlist policies to prevent execution of untrusted file types in high-risk environments. HarborGuard compliance policies can be configured to block promotion of images containing this CVE to production until a fix is confirmed.

See how HarborGuard automates this

Affected packages

Adobe / Acrobat Reader
≤ 26.001.21651

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

helpx.adobe.com

Metrics

Get notified