CVE-2026-47923 Overview
CVE-2026-47923 is an out-of-bounds read vulnerability [CWE-125] affecting Adobe Acrobat Reader versions 24.001.30365, 26.001.21651, and earlier. The flaw allows an attacker to read memory outside the bounds of an intended buffer, potentially disclosing sensitive process memory. Exploitation requires user interaction: a victim must open a crafted malicious file in Acrobat Reader. Adobe documented the issue in security advisory APSB26-63.
Critical Impact
Successful exploitation can disclose sensitive information from Acrobat Reader process memory, including data that may aid in bypassing memory protections such as ASLR.
Affected Products
- Adobe Acrobat Reader 24.001.30365 and earlier
- Adobe Acrobat Reader 26.001.21651 and earlier
- Adobe Acrobat (corresponding tracks covered by APSB26-63)
Discovery Timeline
- 2026-06-09 - CVE-2026-47923 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-47923
Vulnerability Analysis
The vulnerability is an out-of-bounds read in Adobe Acrobat Reader's file parsing logic. When the application processes a malformed document, it reads memory beyond the allocated buffer boundary. The read operation returns adjacent heap or stack contents that were not intended for exposure.
This class of weakness, classified as [CWE-125], typically results in information disclosure rather than code execution. Disclosed memory may contain pointers, object metadata, or document data from other open files. Attackers commonly chain such reads with separate memory corruption flaws to defeat Address Space Layout Randomization (ASLR).
The issue is local in attack vector because the malicious file must be opened on the victim's system. No elevated privileges are required, but the victim must interact with the file.
Root Cause
The root cause is missing or insufficient bounds checking during parsing of structured document content. Acrobat Reader's parser trusts a length or offset field from the crafted file and dereferences memory based on that value without validating it against the allocated buffer size. Adobe's advisory APSB26-63 does not publicly disclose the specific parser component.
Attack Vector
An attacker crafts a malicious PDF or related document containing manipulated structure fields. The attacker delivers the file via email, web download, or shared storage. When the victim opens the file in a vulnerable Acrobat Reader build, the parser triggers the out-of-bounds read. The attacker then needs a channel — such as embedded JavaScript or a follow-up document interaction — to exfiltrate the disclosed memory contents.
No public proof-of-concept exploit is available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. For implementation details, refer to the Adobe Security Advisory APSB26-63.
Detection Methods for CVE-2026-47923
Indicators of Compromise
- Unexpected Acrobat Reader crashes or Dr. Watson entries following the opening of an untrusted PDF.
- PDF files containing malformed object streams, unusual cross-reference table entries, or oversized length fields.
- Acrobat Reader processes initiating outbound network connections shortly after opening a document, suggesting memory exfiltration.
Detection Strategies
- Inspect inbound PDFs at email and web gateways using sandbox detonation to identify parsers triggering memory errors.
- Monitor endpoint telemetry for AcroRd32.exe or Acrobat.exe exceptions, abnormal child processes, or anomalous memory access patterns.
- Maintain software inventory queries that flag hosts running Acrobat Reader builds at or below 24.001.30365 and 26.001.21651.
Monitoring Recommendations
- Alert on Acrobat Reader processes spawning scripting hosts such as powershell.exe, wscript.exe, or cmd.exe.
- Track document open events correlated with outbound HTTPS traffic to uncategorized destinations.
- Capture and retain crash dumps from Acrobat Reader to support post-incident analysis of suspected exploitation attempts.
How to Mitigate CVE-2026-47923
Immediate Actions Required
- Apply the Acrobat and Acrobat Reader updates referenced in Adobe security bulletin APSB26-63 to all managed endpoints.
- Inventory all hosts running affected versions and prioritize patching for users who routinely process external documents.
- Enable Protected View and Protected Mode in Acrobat Reader to restrict the impact of malicious files until patches are deployed.
Patch Information
Adobe addressed the vulnerability in updated builds of Acrobat and Acrobat Reader released alongside Adobe Security Advisory APSB26-63. Administrators should consult the advisory for the exact fixed version numbers per update track and deploy them through Adobe Update Server, SCCM, Intune, or equivalent management tooling.
Workarounds
- Disable JavaScript in Acrobat Reader under Preferences > JavaScript to limit scripted memory disclosure techniques.
- Block opening of PDFs from untrusted sources at the email gateway and enforce attachment sandboxing before delivery.
- Configure Acrobat Reader's Enhanced Security and Protected View settings to open files from untrusted locations in a sandboxed container.
# Configuration example: enforce Protected View for all files via Windows registry
reg add "HKCU\Software\Adobe\Acrobat Reader\DC\TrustManager" /v iProtectedView /t REG_DWORD /d 2 /f
reg add "HKCU\Software\Adobe\Acrobat Reader\DC\JSPrefs" /v bEnableJS /t REG_DWORD /d 0 /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
