Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-47965

CVE-2026-47965: Adobe Acrobat RCE Vulnerability

CVE-2026-47965 is an out-of-bounds write RCE flaw in Adobe Acrobat that enables arbitrary code execution. Exploitation requires opening a malicious file. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2026-47965 Overview

CVE-2026-47965 is an out-of-bounds write vulnerability [CWE-787] affecting Adobe Acrobat and Adobe Acrobat Reader. The flaw impacts versions 24.001.30365, 26.001.21651, and earlier on both Windows and macOS platforms. Attackers can exploit this issue to achieve arbitrary code execution in the context of the current user. Exploitation requires user interaction, meaning the victim must open a crafted PDF file. Adobe addressed the issue in security advisory APSB26-63.

Critical Impact

Successful exploitation allows arbitrary code execution under the current user's privileges, enabling malware delivery, data theft, or further lateral movement from a single malicious PDF.

Affected Products

  • Adobe Acrobat (Classic track) version 24.001.30365 and earlier
  • Adobe Acrobat DC and Acrobat Reader DC (Continuous track) version 26.001.21651 and earlier
  • Microsoft Windows and Apple macOS installations of the affected Acrobat products

Discovery Timeline

  • 2026-06-12 - CVE-2026-47965 published to the National Vulnerability Database
  • 2026-06-12 - Adobe publishes security advisory APSB26-63 with patched builds
  • 2026-06-18 - NVD record last modified

Technical Details for CVE-2026-47965

Vulnerability Analysis

The vulnerability is an out-of-bounds write in Adobe Acrobat and Acrobat Reader. Out-of-bounds write conditions [CWE-787] occur when an application writes data past the end, or before the beginning, of an allocated buffer. In Acrobat, parsing logic for PDF structures handles attacker-controlled data without enforcing correct buffer bounds. A crafted PDF can therefore steer the writer to a memory location outside the intended object.

The attack vector is local and requires user interaction. The attacker must convince the victim to open a malicious PDF, typically delivered through phishing, file-sharing services, or web downloads. Once the file is opened, the parsing routine writes attacker-controlled bytes into adjacent memory. This corruption can be groomed to overwrite function pointers, virtual table entries, or heap metadata, leading to arbitrary code execution with the rights of the user running Acrobat.

Root Cause

The root cause is missing or insufficient bounds checking inside one of Acrobat's PDF object or stream parsers. When the parser processes a malformed length, index, or structure within the document, it computes an offset that falls outside the destination buffer. The writer then commits attacker-controlled data to that offset, producing the memory corruption Adobe documents in APSB26-63.

Attack Vector

Exploitation is local but does not require authentication. A remote attacker can still reach the victim by delivering the malicious PDF through email attachments, drive-by downloads, or malicious links. When the user opens the file in a vulnerable Acrobat build, the parser triggers the out-of-bounds write and the attacker's payload executes in the Acrobat process. Because Acrobat runs in the user session, the executed code inherits that user's rights, file access, and network reach. No verified public exploit or in-the-wild abuse has been reported at the time of writing.

Detection Methods for CVE-2026-47965

Indicators of Compromise

  • Acrobat or Reader processes (Acrobat.exe, AcroRd32.exe, AdobeAcrobat) spawning command interpreters such as cmd.exe, powershell.exe, wscript.exe, or /bin/sh.
  • Unexpected crashes of Acrobat with access-violation or heap-corruption signatures shortly after a PDF is opened.
  • PDF files arriving from untrusted senders that contain malformed object streams, oversized cross-reference tables, or unusual embedded JavaScript.
  • Acrobat child processes making outbound network connections to unfamiliar domains or IPs.

Detection Strategies

  • Hunt for Acrobat process trees that deviate from baseline, especially any process creation chain originating from a PDF viewer.
  • Inspect endpoint telemetry for module loads of unsigned DLLs inside Acrobat processes or in-memory code execution patterns.
  • Apply YARA or content rules to mail and web gateways to flag PDFs with malformed structures consistent with known exploit kits.

Monitoring Recommendations

  • Centralize Acrobat application crash and Windows Error Reporting events for review by the security team.
  • Track Acrobat version inventory across endpoints to confirm patched builds are deployed.
  • Alert on outbound connections initiated by Acrobat processes, which is uncommon in normal use.

How to Mitigate CVE-2026-47965

Immediate Actions Required

  • Update Adobe Acrobat and Acrobat Reader to the fixed builds listed in Adobe Security Advisory APSB26-63.
  • Inventory all Windows and macOS endpoints running Acrobat and prioritize patching for users who routinely handle external PDFs.
  • Enable Acrobat Protected View and Protected Mode for files originating from the internet and email.
  • Train users to avoid opening PDFs from untrusted or unexpected sources.

Patch Information

Adobe released patched versions for both the Classic and Continuous tracks in APSB26-63. Administrators should deploy the latest Acrobat and Reader installers from Adobe's update channels, or push updates through enterprise software distribution tools. Verify that the installed version is newer than 24.001.30365 (Classic) and 26.001.21651 (Continuous).

Workarounds

  • Where patching is delayed, enable Acrobat's Protected View for all files and restrict JavaScript execution within PDFs through the registry or FeatureLockDown policies.
  • Use an alternate PDF viewer with strong sandboxing for files received from external parties until patches are applied.
  • Block or quarantine inbound PDFs from untrusted senders at the email gateway and apply attachment sandboxing for suspicious documents.
bash
# Example: enforce Acrobat Reader Protected View and disable JavaScript via Windows registry
reg add "HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown" /v bProtectedMode /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown" /v iProtectedView /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cDefaultLaunchURLPerms" /v iURLPerms /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cJavaScriptPerms" /v bDisableJavaScript /t REG_DWORD /d 1 /f

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne