CVE-2022-35665: Adobe Acrobat DC RCE Vulnerability

CVE-2022-35665 Overview

CVE-2022-35665 is a Use After Free vulnerability affecting Adobe Acrobat Reader versions 22.001.20169 (and earlier), 20.005.30362 (and earlier), and 17.012.30249 (and earlier). This memory corruption flaw could allow an attacker to achieve arbitrary code execution in the context of the current user. Successful exploitation requires user interaction—specifically, the victim must open a specially crafted malicious PDF file.

Critical Impact
Successful exploitation enables arbitrary code execution with the privileges of the current user, potentially allowing attackers to install malware, steal sensitive data, or establish persistent access on compromised systems.

Affected Products

Adobe Acrobat DC (Continuous track) versions 22.001.20169 and earlier
Adobe Acrobat Reader DC (Continuous track) versions 22.001.20169 and earlier
Adobe Acrobat (Classic 2020) versions 20.005.30362 and earlier
Adobe Acrobat Reader (Classic 2020) versions 20.005.30362 and earlier
Adobe Acrobat (Classic 2017) versions 17.012.30249 and earlier
Adobe Acrobat Reader (Classic 2017) versions 17.012.30249 and earlier

Discovery Timeline

2022-08-11 - CVE-2022-35665 published to NVD
2024-11-21 - Last updated in NVD database

Technical Details for CVE-2022-35665

Vulnerability Analysis

This vulnerability is classified as CWE-416 (Use After Free), a memory corruption class where a program continues to reference memory after it has been deallocated. In the context of Adobe Acrobat Reader, this occurs when processing maliciously crafted PDF documents that manipulate internal object references.

When a PDF document is parsed, Acrobat Reader allocates memory for various document objects. The Use After Free condition arises when the application frees an object's memory but retains a dangling pointer to that memory location. If an attacker can control the contents of reallocated memory at that address, they can manipulate program execution flow.

The local attack vector indicates the exploit requires delivery of a malicious file to the target system. The requirement for user interaction (opening the malicious PDF) provides a degree of protection, though social engineering techniques commonly bypass this barrier. Once exploited, the vulnerability grants full code execution capabilities within the user's security context, affecting confidentiality, integrity, and availability.

Root Cause

The root cause is improper memory management within Adobe Acrobat Reader's PDF processing engine. Specifically, the application fails to properly invalidate or null-out references to memory objects after deallocation. This creates a race condition where freed memory can be reallocated for attacker-controlled data before the stale pointer is dereferenced.

Use After Free vulnerabilities in document parsers like Acrobat Reader typically stem from complex object lifecycle management, particularly when handling nested or dynamically generated document structures. The asynchronous nature of JavaScript processing within PDFs can exacerbate these conditions.

Attack Vector

The attack requires delivering a malicious PDF file to the victim, which can be accomplished through:

Email attachments with socially engineered content
Drive-by downloads from compromised or malicious websites
File sharing platforms and cloud storage links
Malicious links in phishing campaigns

Once the victim opens the crafted PDF document, the Use After Free condition is triggered during document parsing or JavaScript execution, allowing the attacker to redirect execution flow to shellcode embedded within the document.

The exploitation technique typically involves heap spraying to place controlled data at predictable memory addresses, followed by triggering the Use After Free to redirect execution to the attacker's payload.

Detection Methods for CVE-2022-35665

Indicators of Compromise

Unexpected crashes or abnormal termination of AcroRd32.exe or Acrobat.exe processes
PDF files with unusually complex or obfuscated JavaScript content
Suspicious child processes spawned from Acrobat Reader (e.g., cmd.exe, powershell.exe)
Heap spray patterns or large memory allocations during PDF processing

Detection Strategies

Monitor for anomalous process behavior from Adobe Acrobat Reader, particularly unexpected child process creation
Implement endpoint detection rules to identify heap spray techniques and memory corruption exploitation attempts
Deploy PDF analysis tools in email gateways to scan attachments for malicious JavaScript and exploitation patterns
Enable crash dump analysis to identify exploitation attempts that fail

Monitoring Recommendations

Configure application crash reporting to capture and analyze Acrobat Reader crashes for potential exploitation attempts
Monitor network traffic for suspicious PDF downloads, particularly from untrusted sources
Implement behavioral analysis to detect post-exploitation activities such as unauthorized network connections or file system modifications

How to Mitigate CVE-2022-35665

Immediate Actions Required

Update all Adobe Acrobat and Reader installations to the latest patched versions immediately
Enable Protected Mode and Protected View in Adobe Acrobat Reader to sandbox document processing
Disable JavaScript in Acrobat Reader for environments that don't require PDF script functionality
Block PDF attachments from untrusted email sources until patching is complete

Patch Information

Adobe has released security updates addressing this vulnerability in security bulletin APSB22-39. Users should update to the following versions or later:

Acrobat DC (Continuous): Update to version 22.002.20191 or later
Acrobat Reader DC (Continuous): Update to version 22.002.20191 or later
Acrobat 2020 (Classic): Update to version 20.005.30381 or later
Acrobat Reader 2020 (Classic): Update to version 20.005.30381 or later
Acrobat 2017 (Classic): Update to version 17.012.30262 or later
Acrobat Reader 2017 (Classic): Update to version 17.012.30262 or later

Organizations should prioritize patching systems that regularly process PDF documents from external sources.

Workarounds

Enable Protected View for all files by navigating to Edit → Preferences → Security (Enhanced) and selecting "Files from potentially unsafe locations"
Disable JavaScript execution in Acrobat Reader via Edit → Preferences → JavaScript → uncheck "Enable Acrobat JavaScript"
Implement application whitelisting to prevent unauthorized code execution even if exploitation occurs
Use alternative PDF readers in isolated environments for documents from untrusted sources

bash

# Windows Registry: Disable JavaScript in Acrobat Reader DC
reg add "HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\JSPrefs" /v bEnableJS /t REG_DWORD /d 0 /f

# Enable Protected Mode (requires application restart)
reg add "HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\Privileged" /v bProtectedMode /t REG_DWORD /d 1 /f

CVE-2022-35665 Overview

Critical Impact
Successful exploitation enables arbitrary code execution with the privileges of the current user, potentially allowing attackers to install malware, steal sensitive data, or establish persistent access on compromised systems.

Affected Products

Adobe Acrobat DC (Continuous track) versions 22.001.20169 and earlier
Adobe Acrobat Reader DC (Continuous track) versions 22.001.20169 and earlier
Adobe Acrobat (Classic 2020) versions 20.005.30362 and earlier
Adobe Acrobat Reader (Classic 2020) versions 20.005.30362 and earlier
Adobe Acrobat (Classic 2017) versions 17.012.30249 and earlier
Adobe Acrobat Reader (Classic 2017) versions 17.012.30249 and earlier

Discovery Timeline

2022-08-11 - CVE-2022-35665 published to NVD
2024-11-21 - Last updated in NVD database

Technical Details for CVE-2022-35665

Vulnerability Analysis

Root Cause

Attack Vector

The attack requires delivering a malicious PDF file to the victim, which can be accomplished through:

Email attachments with socially engineered content
Drive-by downloads from compromised or malicious websites
File sharing platforms and cloud storage links
Malicious links in phishing campaigns

Detection Methods for CVE-2022-35665

Indicators of Compromise

Unexpected crashes or abnormal termination of AcroRd32.exe or Acrobat.exe processes
PDF files with unusually complex or obfuscated JavaScript content
Suspicious child processes spawned from Acrobat Reader (e.g., cmd.exe, powershell.exe)
Heap spray patterns or large memory allocations during PDF processing

Detection Strategies

Monitor for anomalous process behavior from Adobe Acrobat Reader, particularly unexpected child process creation
Implement endpoint detection rules to identify heap spray techniques and memory corruption exploitation attempts
Deploy PDF analysis tools in email gateways to scan attachments for malicious JavaScript and exploitation patterns
Enable crash dump analysis to identify exploitation attempts that fail

Monitoring Recommendations

Configure application crash reporting to capture and analyze Acrobat Reader crashes for potential exploitation attempts
Monitor network traffic for suspicious PDF downloads, particularly from untrusted sources
Implement behavioral analysis to detect post-exploitation activities such as unauthorized network connections or file system modifications

How to Mitigate CVE-2022-35665

Immediate Actions Required

Update all Adobe Acrobat and Reader installations to the latest patched versions immediately
Enable Protected Mode and Protected View in Adobe Acrobat Reader to sandbox document processing
Disable JavaScript in Acrobat Reader for environments that don't require PDF script functionality
Block PDF attachments from untrusted email sources until patching is complete

Patch Information

Adobe has released security updates addressing this vulnerability in security bulletin APSB22-39. Users should update to the following versions or later:

Acrobat DC (Continuous): Update to version 22.002.20191 or later
Acrobat Reader DC (Continuous): Update to version 22.002.20191 or later
Acrobat 2020 (Classic): Update to version 20.005.30381 or later
Acrobat Reader 2020 (Classic): Update to version 20.005.30381 or later
Acrobat 2017 (Classic): Update to version 17.012.30262 or later
Acrobat Reader 2017 (Classic): Update to version 17.012.30262 or later

Organizations should prioritize patching systems that regularly process PDF documents from external sources.

Workarounds

Enable Protected View for all files by navigating to Edit → Preferences → Security (Enhanced) and selecting "Files from potentially unsafe locations"
Disable JavaScript execution in Acrobat Reader via Edit → Preferences → JavaScript → uncheck "Enable Acrobat JavaScript"
Implement application whitelisting to prevent unauthorized code execution even if exploitation occurs
Use alternative PDF readers in isolated environments for documents from untrusted sources

bash

# Windows Registry: Disable JavaScript in Acrobat Reader DC
reg add "HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\JSPrefs" /v bEnableJS /t REG_DWORD /d 0 /f

# Enable Protected Mode (requires application restart)
reg add "HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\Privileged" /v bProtectedMode /t REG_DWORD /d 1 /f

CVE-2022-35665: Adobe Acrobat DC RCE Vulnerability

CVE-2022-35665 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2022-35665

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2022-35665

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2022-35665

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2022-35665: Adobe Acrobat DC RCE Vulnerability

CVE-2022-35665 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2022-35665

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2022-35665

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2022-35665

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform