How is CVE-2026-47920 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no over-the-network access to the service is required, only delivery of a malicious file to the victim. Authentication (not-required): No account credentials or prior authentication are needed; the vulnerability is reachable by any user who opens a crafted file. Victim interaction (required): The victim must open a malicious file, making this a social-engineering vector that requires tricking the user into accessing a crafted document. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no race conditions, specific memory layout, or other environmental pre-conditions beyond file delivery.

What is the impact of CVE-2026-47920?

Reads files and data accessible to the current user, including stored credentials, documents, and session tokens. Modifies or deletes files the current user has write access to, including configuration and application data. Executes arbitrary code in the context of the logged-in user, enabling installation of malware or backdoors. Provides a foothold for lateral movement or privilege escalation if the victim account has elevated permissions.

Back to search

HIGHCVE-2026-47920Published 2026-06-09Modified 2026-06-10CNA adobe

CVE-2026-47920: Acrobat Reader | Use After Free (CWE-416)

Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Use-after-free vulnerability in Adobe Acrobat Reader (versions 26.001.21651 and earlier, including 24.001.30365 and earlier) allows arbitrary code execution when a victim opens a malicious file. The attack is local-delivery but requires no special account privileges, only that a user opens a crafted document. Successful exploitation gives the attacker full code execution in the context of the logged-in user, enabling data theft, file tampering, or further system compromise. No upstream fix has been published yet; HarborGuard is tracking the advisory and will surface a patched-image rebuild the moment Adobe releases one.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-47920 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of feed ingestion, including custom-built images that bundle Acrobat Reader or embed affected library versions. Any image in a customer registry or CI pipeline that carries an affected Acrobat Reader version is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 7.8 HIGH using the published CVSS v3.1 vector and weights it against each environment's compliance policy to determine urgency and routing. Alerts are directed to the appropriate team inbox within each customer organization based on ownership rules configured in that environment.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-evaluates the Adobe advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. In the interim, customers can apply compensating controls such as network-policy isolation and file-type ingestion restrictions through HarborGuard's policy configuration.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no over-the-network access to the service is required, only delivery of a malicious file to the victim.
AuthenticationNot required
No account credentials or prior authentication are needed; the vulnerability is reachable by any user who opens a crafted file.
Victim interactionRequired
The victim must open a malicious file, making this a social-engineering vector that requires tricking the user into accessing a crafted document.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no race conditions, specific memory layout, or other environmental pre-conditions beyond file delivery.

Blast Radius

Reads files and data accessible to the current user, including stored credentials, documents, and session tokens.
Modifies or deletes files the current user has write access to, including configuration and application data.
Executes arbitrary code in the context of the logged-in user, enabling installation of malware or backdoors.
Provides a foothold for lateral movement or privilege escalation if the victim account has elevated permissions.

How HarborGuard Handles This

Available on HarborGuard: since no fix version has been published by Adobe, HarborGuard continuously monitors the upstream advisory on every ingest cycle and will automatically surface a patched-image rebuild as soon as a fix is released. For environments with auto-remediation enabled, that rebuild will trigger a regression test run and open a PR against affected workloads without manual intervention, where compliance policy permits. In the meantime, recommended compensating controls include restricting which container workloads can ingest or process PDF and document files, applying network-policy isolation to services running Acrobat Reader, and enabling HarborGuard policy alerts so that any new image pushed with an affected version is blocked at the pipeline gate. This CVE will be re-evaluated and customers notified automatically when Adobe publishes a fix.

See how HarborGuard automates this

Affected packages

Adobe / Acrobat Reader
≤ 26.001.21651

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

helpx.adobe.com

Metrics

Get notified