CVE-2023-26420 in Acrobat Reader
Summary
by MITRE • 04/13/2023
Adobe Acrobat Reader versions 23.001.20093 (and earlier) and 20.005.30441 (and earlier) are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 11/09/2025
Adobe Acrobat Reader contains a critical use after free vulnerability in its handling of PDF documents that allows remote code execution when users open maliciously crafted files. This vulnerability resides in the memory management functions responsible for processing certain PDF objects and can be exploited through a classic use after free attack pattern where freed memory is accessed after deallocation. The flaw affects multiple versions of Adobe Acrobat Reader including 23.001.20093 and earlier releases as well as 20.005.30441 and earlier versions, indicating this represents a widespread issue within the product line. The vulnerability is classified under CWE-416 as a use after free condition where memory is accessed after it has been freed, a pattern commonly exploited by attackers to achieve arbitrary code execution. When a user opens a malicious PDF file, the application's processing of specific objects within the document triggers the vulnerability by causing a memory allocation to be freed and then subsequently accessed, allowing an attacker to inject and execute malicious code with the privileges of the current user. This represents a significant security risk as it requires only user interaction through opening a file, making it particularly dangerous in phishing campaigns or malicious document delivery attacks. The attack vector follows typical exploitation patterns described in the attack tree framework where initial access is achieved through social engineering or malicious file delivery, followed by code execution within the victim's session. The operational impact extends beyond simple code execution as successful exploitation can lead to complete system compromise, data exfiltration, and persistence mechanisms being established. Organizations should immediately update to the latest versions of Adobe Acrobat Reader to remediate this vulnerability, as the use after free condition creates a predictable exploitation window that attackers can readily leverage. Security teams should also implement network-based detection measures to identify potentially malicious PDF files and consider user education programs to reduce the risk of accidental file execution. The vulnerability demonstrates the ongoing challenges in PDF processing security where complex document formats create numerous attack surfaces that require continuous monitoring and patch management to maintain secure operations. This issue aligns with common attack patterns in the MITRE ATT&CK framework where adversaries leverage application vulnerabilities to achieve code execution and establish persistent access to target systems.