How is CVE-2026-47965 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no over-the-network access path is required. Authentication (not-required): No account or credential is required to deliver the malicious file; the attack relies solely on the victim opening it. Victim interaction (required): The victim must open a specially crafted file, making social engineering (phishing, malicious email attachment, or download) a prerequisite. Attack complexity (info): The exploit is reliable and condition-free once the victim opens the file; no race conditions or specific memory layout requirements are noted.

What is the impact of CVE-2026-47965?

The attacker executes arbitrary code in the security context of the logged-in user, gaining the same file-system and process permissions that user holds. Confidential files accessible to the current user, including documents, credentials cached on disk, and browser-stored secrets, are readable by the attacker. The attacker can write or modify files the current user owns, enabling persistence mechanisms such as dropped binaries or altered configuration files. The affected Acrobat Reader process and any dependent services can be crashed or destabilized, disrupting the user's workflow.

Back to search

HIGHCVE-2026-47965Published 2026-06-12Modified 2026-06-16CNA adobe

CVE-2026-47965: Acrobat Reader | Out-of-bounds Write (CWE-787)

Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An out-of-bounds write vulnerability affects Adobe Acrobat Reader versions 26.001.21651 and earlier (including 24.001.30365 and earlier in the 24.x line). The flaw is reached locally when a user opens a crafted file, and no authentication is required beyond convincing the victim to open the malicious document. Successful exploitation gives an attacker arbitrary code execution running as the current user. No upstream fix has been published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images containing affected Acrobat Reader versions, including custom-built images that bundle the reader. No manual configuration is needed to trigger scanning.

Available

Triage

HarborGuard scores this CVE at 7.8 HIGH using the CVSS v3.1 vector and can weight that score against each customer organization's compliance policy to determine urgency and route findings to the appropriate team inbox automatically.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Adobe ships a corrected release. In the interim, customers can apply compensating controls through HarborGuard's policy engine to flag or block images containing the affected reader versions.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no over-the-network access path is required.
AuthenticationNot required
No account or credential is required to deliver the malicious file; the attack relies solely on the victim opening it.
Victim interactionRequired
The victim must open a specially crafted file, making social engineering (phishing, malicious email attachment, or download) a prerequisite.
Attack complexityDetail
The exploit is reliable and condition-free once the victim opens the file; no race conditions or specific memory layout requirements are noted.

Blast Radius

The attacker executes arbitrary code in the security context of the logged-in user, gaining the same file-system and process permissions that user holds.
Confidential files accessible to the current user, including documents, credentials cached on disk, and browser-stored secrets, are readable by the attacker.
The attacker can write or modify files the current user owns, enabling persistence mechanisms such as dropped binaries or altered configuration files.
The affected Acrobat Reader process and any dependent services can be crashed or destabilized, disrupting the user's workflow.

How HarborGuard Handles This

Available on HarborGuard: continuous advisory monitoring for this CVE is active across all customer environments, with re-checks on every ingest cycle so that image matches are updated the moment new information is published. Because no upstream patch exists, customers are encouraged to use HarborGuard's policy engine to enforce network-policy isolation for container workloads that bundle Acrobat Reader, apply egress filtering to limit the blast radius if a container is compromised, and flag or block pipeline promotion of images containing affected versions until Adobe ships a fix. For customers who opt into auto-remediation, a patched-image rebuild and regression run will be triggered automatically as soon as a fix version is published upstream, with a PR opened against affected workloads. HarborGuard will surface a changelog notice in the CVE detail page the moment a fix version becomes available.

See how HarborGuard automates this

Affected packages

Adobe / Acrobat Reader
≤ 26.001.21651

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

helpx.adobe.com

Metrics

Get notified