How is CVE-2026-47955 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network-facing service exposure is required. Authentication (not-required): No account credentials or privileges are needed; the attack is delivered entirely through a malicious file. Victim interaction (required): The victim must open a malicious file, making this a social-engineering vector where the attacker must persuade the target to do so. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special race conditions or environmental prerequisites beyond the victim opening the file.

What is the impact of CVE-2026-47955?

Executes arbitrary code under the victim's user account, giving the attacker full control of any process the user can run. Reads any files, credentials, or secrets accessible to the current user, including browser-stored tokens and documents. Modifies or deletes files and configuration data within the user's permission scope. Crashes or destabilizes the Acrobat Reader process and any dependent workflows relying on it.

Back to search

HIGHCVE-2026-47955Published 2026-06-09Modified 2026-06-10CNA adobe

CVE-2026-47955: Acrobat Reader | Use After Free (CWE-416)

Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Use-after-free vulnerability in Adobe Acrobat Reader (versions up to 26.001.21651 and 24.001.30365) allows arbitrary code execution in the context of the logged-in user. The attacker does not need network access or any account credentials, but must convince a victim to open a specially crafted file. Successful exploitation gives the attacker full code execution under the victim's user account. No fix version has been published yet; HarborGuard tracks the advisory and will surface a patched-image rebuild as soon as upstream ships one.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Acrobat Reader. Any image containing an affected version is flagged immediately.

Available

Triage

HarborGuard scores this finding at CVSS 7.8 HIGH and weights it against each customer environment's compliance policy, then routes it to the appropriate team inbox within that organization. Per-environment policy rules can escalate or suppress the alert based on asset criticality.

Available

Patch

No upstream fix version exists for this CVE at this time. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Adobe publishes a remediated version. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network-facing service exposure is required.
AuthenticationNot required
No account credentials or privileges are needed; the attack is delivered entirely through a malicious file.
Victim interactionRequired
The victim must open a malicious file, making this a social-engineering vector where the attacker must persuade the target to do so.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions or environmental prerequisites beyond the victim opening the file.

Blast Radius

Executes arbitrary code under the victim's user account, giving the attacker full control of any process the user can run.
Reads any files, credentials, or secrets accessible to the current user, including browser-stored tokens and documents.
Modifies or deletes files and configuration data within the user's permission scope.
Crashes or destabilizes the Acrobat Reader process and any dependent workflows relying on it.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively tracked against every image in enrolled registries and CI pipelines. Because Adobe has not yet published a fix, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a remediated version is released. For customers with auto-remediation enabled, that moment triggers a full rebuild, regression-test run, and a PR opened against affected workloads with no manual intervention required. While no upstream patch exists, compensating controls can reduce exposure: network-policy isolation of hosts running Acrobat Reader, egress filtering to limit post-exploitation reach, and disabling automatic file-open behaviors in managed environments. Customers who want to be alerted the instant a fix is published can subscribe to advisory-watch notifications inside the HarborGuard console for this CVE.

See how HarborGuard automates this

Affected packages

Adobe / Acrobat Reader
≤ 26.001.21651

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

helpx.adobe.com

Metrics

Get notified