How is CVE-2026-47952 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network-level access to the target service is required. Authentication (not-required): No account or credential is needed before launching the attack; the exploit is delivered entirely through a malicious file. Victim interaction (required): A victim must be socially engineered into opening a malicious file, such as a crafted PDF, for the overflow to trigger. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors beyond the victim opening the file.

What is the impact of CVE-2026-47952?

An attacker achieves arbitrary code execution running as the current user, giving them full control over any process they can spawn in that context. All files, secrets, and credentials readable by the victim user become accessible to the attacker. The attacker can write or modify any file the victim user has write access to, including application data, configuration files, and stored documents. The affected process and any child processes can be terminated or destabilized, disrupting the user's session and any dependent workflows.

Back to search

HIGHCVE-2026-47952Published 2026-06-09Modified 2026-06-10CNA adobe

CVE-2026-47952: Acrobat Reader | Heap-based Buffer Overflow (CWE-122)

Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A heap-based buffer overflow vulnerability affects Adobe Acrobat Reader versions 26.001.21651 and earlier (including 24.001.30365 and earlier in the 24.x line). The vulnerability is exploited locally, requires no prior authentication, but does require a victim to open a specially crafted malicious file. Successful exploitation gives an attacker arbitrary code execution running as the current user, enabling full read, write, and control over anything that user can access. No upstream fix has been published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-47952 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built images that bundle Acrobat Reader or its libraries. Pipelines and registry scans are both covered, so any affected image version surfaces regardless of where it was built.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 severity of 7.8 (HIGH) and weighting it against each customer environment's compliance policy to determine urgency. Routed alerts reach the appropriate team inbox inside the customer org, prioritized according to policy thresholds set by that organization.

Available

Patch

Because no upstream fix version has been published for CVE-2026-47952, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Adobe ships a fix. In the meantime, compensating controls such as network-policy isolation or restricting file-handling workloads can be applied through HarborGuard's policy engine where supported by the customer's configuration.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network-level access to the target service is required.
AuthenticationNot required
No account or credential is needed before launching the attack; the exploit is delivered entirely through a malicious file.
Victim interactionRequired
A victim must be socially engineered into opening a malicious file, such as a crafted PDF, for the overflow to trigger.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors beyond the victim opening the file.

Blast Radius

An attacker achieves arbitrary code execution running as the current user, giving them full control over any process they can spawn in that context.
All files, secrets, and credentials readable by the victim user become accessible to the attacker.
The attacker can write or modify any file the victim user has write access to, including application data, configuration files, and stored documents.
The affected process and any child processes can be terminated or destabilized, disrupting the user's session and any dependent workflows.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-47952, the platform monitors the Adobe advisory on every ingest cycle and will automatically queue a patched-image rebuild the moment a fix version is published. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and open a pull request against affected workloads without manual intervention, typically within roughly 90 minutes of CVE publication for HIGH-severity issues once a fix is available. While no patch exists, customers can apply compensating controls through HarborGuard's policy engine: network-policy isolation to restrict lateral movement from a compromised container, egress filtering to limit what a hijacked process can reach, and feature-flag gating to disable or sandbox file-handling workloads where compliance policy permits. HarborGuard will surface an alert as soon as Adobe publishes a fix version, at which point the full rebuild-and-PR flow becomes available.

See how HarborGuard automates this

Affected packages

Adobe / Acrobat Reader
≤ 26.001.21651

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

helpx.adobe.com

Metrics

Get notified