A vulnerability was found in Adobe Acrobat Reader up to 2015.006.30505/2017.011.30152/2019.021.20056 (Document Reader Software). It has been rated as critical. Affected by this issue is some unknown functionality. The manipulation with an unknown input leads to a use after free vulnerability. Using CWE to declare the problem leads to CWE-416. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. Impacted is confidentiality, integrity, and availability. CVE summarizes:

Adobe Acrobat and Reader versions , 2019.021.20056 and earlier, 2017.011.30152 and earlier, 2017.011.30155 and earlier version, 2017.011.30152 and earlier, and 2015.006.30505 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .

The weakness was published 12/10/2019 as APSB19-55 as confirmed security bulletin (Website). The advisory is shared for download at helpx.adobe.com. This vulnerability is handled as CVE-2019-16464. The attack may be launched remotely. No form of authentication is required for exploitation. Successful exploitation requires user interaction by the victim. There are neither technical details nor an exploit publicly available. The current price for an exploit might be approx. USD $0-$5k (estimation calculated on 03/10/2024).

Upgrading to version 2015.006.30508, 2017.011.30156 or 2019.021.20058 eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability.

blogs.adobe.com is providing further details. Similar entries are available at 146948, 146949, 146950 and 146951.

Productinfo

Type

• Document Reader Software

Vendor

• Adobe

Name

• Acrobat Reader

Version

• 2015.006.30505
• 2017.011.30152
• 2019.021.20056

License

• free

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion