How is CVE-2026-47959 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no over-the-network access to the service is required. Authentication (not-required): No account or credentials are required to deliver the malicious file to the victim. Victim interaction (required): The victim must actively open a malicious file, making this a social-engineering vector typically delivered via email attachment or a crafted download link. Attack complexity (info): The exploit is reliable and condition-free once the victim opens the file, with no race conditions or special memory-layout requirements.

What is the impact of CVE-2026-47959?

The attacker executes arbitrary code in the context of the logged-in user, gaining the same filesystem and process privileges as that user. Files accessible to the current user, including documents, credentials cached on disk, and browser profile data, can be read and exfiltrated. The attacker can write or modify files owned by the current user, including configuration files and application data. The running Acrobat Reader process and any child processes the attacker spawns can be terminated or repurposed, disrupting document workflows.

Back to search

HIGHCVE-2026-47959Published 2026-06-09Modified 2026-06-10CNA adobe

CVE-2026-47959: Acrobat Reader | Stack-based Buffer Overflow (CWE-121)

Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Stack-based buffer overflow in Adobe Acrobat Reader (versions 26.001.21651 and earlier, including 24.001.30365 and earlier) allows an attacker to execute arbitrary code on the victim's machine. The vulnerability is local in nature and requires no prior authentication, but the victim must open a specially crafted malicious file. Successful exploitation gives the attacker full code execution in the context of the logged-in user, enabling data theft, file manipulation, or further system compromise. No fix version has been published yet; HarborGuard tracks the advisory and will surface patch availability as soon as Adobe releases an update.

HarborGuard Coverage

Detection

Detection for CVE-2026-47959 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including Adobe security bulletins. This matching capability covers custom-built container images that bundle Acrobat Reader alongside other software, in addition to base images pulled from public registries.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 severity of 7.8 (HIGH) and weighting that score against each environment's configured compliance policy. Triage routing is available to direct alerts to the appropriate team inbox within each customer organization based on affected image ownership and policy thresholds.

Available

Patch

Because no upstream fix version has been published for this CVE, HarborGuard re-checks the Adobe advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. In the interim, compensating-control recommendations such as network-policy isolation and restricting document-handling workloads are surfaced in the triage detail for each affected image.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no over-the-network access to the service is required.
AuthenticationNot required
No account or credentials are required to deliver the malicious file to the victim.
Victim interactionRequired
The victim must actively open a malicious file, making this a social-engineering vector typically delivered via email attachment or a crafted download link.
Attack complexityDetail
The exploit is reliable and condition-free once the victim opens the file, with no race conditions or special memory-layout requirements.

Blast Radius

The attacker executes arbitrary code in the context of the logged-in user, gaining the same filesystem and process privileges as that user.
Files accessible to the current user, including documents, credentials cached on disk, and browser profile data, can be read and exfiltrated.
The attacker can write or modify files owned by the current user, including configuration files and application data.
The running Acrobat Reader process and any child processes the attacker spawns can be terminated or repurposed, disrupting document workflows.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-47959, the platform monitors the Adobe advisory on every ingest cycle and will make a patched-image rebuild available at the corrected version the moment Adobe publishes one. For customers with auto-remediation enabled, that rebuild will be followed automatically by a regression-test run and a PR opened against affected workloads, with no manual intervention required. While the advisory remains open, HarborGuard surfaces compensating-control guidance for affected images, including options such as network-policy isolation of document-processing workloads, egress filtering to limit post-exploitation reach, and feature-flag gating to disable Acrobat Reader invocation in container environments where it is not strictly needed. Customers whose compliance policies flag HIGH-severity unpatched CVEs for escalation will have this issue routed to the appropriate inbox automatically.

See how HarborGuard automates this

Affected packages

Adobe / Acrobat Reader
≤ 26.001.21651

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

helpx.adobe.com

Metrics

Get notified