How is CVE-2026-47921 exploited?

Network reachability (not-required): The attacker does not need network access to the target; they need an existing shell or process on the host, or a way to deliver a malicious file to the victim. Authentication (not-required): No account or credentials on the target system are required to trigger the vulnerability. Victim interaction (required): The victim must actively open a malicious file (such as a crafted PDF), making social engineering a prerequisite for exploitation. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race timing, or memory-layout knowledge.

What is the impact of CVE-2026-47921?

Reads files, credentials, and session tokens accessible to the current user account. Writes or overwrites files on disk under the current user's permissions, including startup items or application configs. Executes arbitrary code in the context of the logged-in user, enabling installation of malware or lateral-movement tooling. Crashes or corrupts the Acrobat Reader process, causing loss of unsaved document work for the affected user.

Back to search

HIGHCVE-2026-47921Published 2026-06-09Modified 2026-06-10CNA adobe

CVE-2026-47921: Acrobat Reader | Use After Free (CWE-416)

Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Use-after-free vulnerability in Adobe Acrobat Reader (versions 26.001.21651 and earlier, including 24.001.30365 and earlier) allows an attacker to execute arbitrary code on a victim's machine. The attack is local in delivery: no network exposure is needed, but the attacker must convince a user to open a crafted PDF or other malicious file. Successful exploitation gives the attacker full code execution running as the current user, enabling data theft, file modification, or further system compromise. No upstream fix has been published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection for CVE-2026-47921 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Acrobat Reader or embed affected libraries. Any image containing an affected version of Acrobat Reader (26.001.21651 or earlier) is flagged immediately.

Available

Triage

HarborGuard scores this CVE at 7.8 HIGH using the CVSS v3.1 vector and weighs that score against each customer environment's compliance policy to determine priority and escalation path. Triage findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the Adobe advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. In the meantime, compensating-control recommendations (described below) are surfaced in the triage finding for each affected image.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker does not need network access to the target; they need an existing shell or process on the host, or a way to deliver a malicious file to the victim.
AuthenticationNot required
No account or credentials on the target system are required to trigger the vulnerability.
Victim interactionRequired
The victim must actively open a malicious file (such as a crafted PDF), making social engineering a prerequisite for exploitation.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race timing, or memory-layout knowledge.

Blast Radius

Reads files, credentials, and session tokens accessible to the current user account.
Writes or overwrites files on disk under the current user's permissions, including startup items or application configs.
Executes arbitrary code in the context of the logged-in user, enabling installation of malware or lateral-movement tooling.
Crashes or corrupts the Acrobat Reader process, causing loss of unsaved document work for the affected user.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-47921 is active and will flag any image containing Acrobat Reader 26.001.21651 or earlier. Because Adobe has not yet published a patched release, no rebuild can be offered at this time. HarborGuard re-evaluates the advisory on every ingest cycle and will surface a patched-image rebuild for affected environments the moment an upstream fix version is confirmed. While no patch exists, customers can apply compensating controls via HarborGuard's policy engine: network-policy isolation to restrict outbound connections from hosts running Acrobat Reader, egress filtering to limit file retrieval from untrusted sources, and feature-flag gating to block PDF rendering in containerized workflows that do not require it. For customers with auto-remediation enabled, a rebuild and regression run will be triggered automatically and a PR opened against affected workloads as soon as a fix version is available upstream.

See how HarborGuard automates this

Affected packages

Adobe / Acrobat Reader
≤ 26.001.21651

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

helpx.adobe.com

Metrics

Get notified