CVE-2018-4990
published 2018-07-09CVE-2018-4990: Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011.30079 and earlier, and 2015.006.30417 and earlier have a Double Free vulnerability…
PriorityP181high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-06-22
Exploited in the wild
EPSS
40.54%
98.5th percentile
Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011.30079 and earlier, and 2015.006.30417 and earlier have a Double Free vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | acrobat_dc | 15.006.30060 – 15.006.30417 | — |
| adobe | acrobat_dc | 15.008.20082 – 18.011.20038 | — |
| adobe | acrobat_dc | 17.011.30059 – 17.011.30079 | — |
| adobe | acrobat_reader_dc | 15.006.30060 – 15.006.30417 | — |
| adobe | acrobat_reader_dc | 15.008.20082 – 18.011.20038 | — |
| adobe | acrobat_reader_dc | 17.011.30059 – 17.011.30079 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect NULL page memory allocation originating from AcroRd32 — used in this exploit to allocate a fake data structure at the NULL page. ↗
- →Detect embedded JavaScript within a PDF that sets up a ROP chain leading to shellcode execution — the first phase of the CVE-2018-4990 exploit. ↗
- →The malicious PDF sample was uploaded to VirusTotal while still in development; hunting for the SHA256 hashes on VT or sandboxes is a viable detection approach. ↗
- ·CVE-2018-4990 requires chaining with CVE-2018-8120 (Win32k EoP / null pointer dereference) to achieve full sandbox escape and SYSTEM-level code execution; neither vulnerability alone achieves complete compromise. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8x43-549v-7wcw: Adobe Acrobat and Reader versions 2018
ghsa_unreviewed·2022-05-14
CVE-2018-4990 [HIGH] CWE-415 GHSA-8x43-549v-7wcw: Adobe Acrobat and Reader versions 2018
Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011.30079 and earlier, and 2015.006.30417 and earlier have a Double Free vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
VulnCheck
Adobe Acrobat and Reader Double Free Vulnerability
vulncheck·2018·CVSS 8.8
CVE-2018-4990 [HIGH] CWE-415 Adobe Acrobat and Reader Double Free Vulnerability
Adobe Acrobat and Reader Double Free Vulnerability
Adobe Acrobat and Reader have a double free vulnerability that could lead to remote code execution.
Affected: Adobe Acrobat and Reader
Required Action: Apply updates per vendor instructions.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-06-22
CISA
Adobe Acrobat and Reader Double Free Vulnerability
cisa·2022-06-08·CVSS 8.8
CVE-2018-4990 [HIGH] CWE-415 Adobe Acrobat and Reader Double Free Vulnerability
Vulnerability: Adobe Acrobat and Reader Double Free Vulnerability
Affected: Adobe Acrobat and Reader
Adobe Acrobat and Reader have a double free vulnerability that could lead to remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2018-4990
Remediation Due Date: 2022-06-22
No detection rules found.
No public exploits indexed.
Securelist
IT threat evolution Q2 2018. Statistics
blogs_securelist·2018-08-06
IT threat evolution Q2 2018. Statistics
Table of Contents
- Q2 figures
- Mobile threats
- Attacks on IoT devices
- Online threats in the financial sector
- Vulnerable apps used by cybercriminals
- Attacks via web resources
- Local threats
Authors
- Victor Chebyshev
- Fedor Sinitsyn
- Denis Parinov
- Alexander Liskin
- Oleg Kupreev
## Q2 figures
According to KSN:
- Kaspersky Lab solutions blocked 962,947,023 attacks launched from online resources located in 187 countries across the globe.
- 351,913,075 unique URLs were recognized as malicious by Web Anti-Virus components.
- Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 215,762 users.
- Ransomware attacks were registered on the computers of 158,921 unique users.
- Our File Anti-Virus logged 192,053,
Securelist
IT threat evolution Q2 2018. Statistics
blogs_securelist·2018-08-06
IT threat evolution Q2 2018. Statistics
Table of Contents
Q2 figures
Mobile threats
General statistics
Distribution of detected mobile apps by type
TOP 20 mobile malware
Geography of mobile threats
Mobile banking Trojans
Mobile ransomware Trojans
Attacks on IoT devices
Telnet attacks
TOP 10 countries by shares of IoT devices infected via Telnet
TOP 10 malware downloaded to infected IoT devices in successful Telnet attacks
SSH attacks
TOP 10 countries by shares of IoT devices attacked via SSH
Online threats in the financial sector
Q2 events
New banking Trojan DanaBot
The peculiar BackSwap technique
Carbanak gang leader detained
Ransomware Trojan uses Doppelgänging technique
General statistics on financial threats
Geography of attacks
TOP 10 countries by percentage of attacked users
TOP 10 banking malware f
Tenable
July Vulnerability of the Month: Two Zero-Days Caught in Development
blogs_tenable·2018-07-31·CVSS 8.8
[HIGH] July Vulnerability of the Month: Two Zero-Days Caught in Development
Blog / Research
Subscribe
# July Vulnerability of the Month: Two Zero-Days Caught in Development
Tenable Research
July 31, 2018
3 Min Read
An Adobe Reader double free vulnerability on Windows and macOS systems earns the nod for its interesting discovery and patch story.
Novelty, sophistication or just plain weirdness are some of the potential criteria we use to select the Tenable vulnerability of the month. We collect nominations from our 70+ research team members, shortlist the finalists and give the entire team the chance to vote -- combining the total experience and knowledge of Tenable Research to identify the vulnerability of the month.
## Background
This month, Tenable Research highlights CVE-2018-4990, an Adobe Reader double free vulnerability on Windows and macOS systems. C
Tenable
July Vulnerability of the Month: Two Zero-Days Caught in Development
blogs_tenable·2018-07-31
July Vulnerability of the Month: Two Zero-Days Caught in Development
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Sentinelone
SentinelOne Detects New Malicious PDF File
blogs_sentinelone·2018-06-11·CVSS 8.8
[HIGH] SentinelOne Detects New Malicious PDF File
Documents have always been a popular attack vector. Documents, unlike executables, have been traditionally considered less suspicious and harmful. This concept made it easier for attackers using them to circumvent traditional security solutions. But, over time and with the growing scripting and macro capabilities, documents became much more similar to executables, in a sense that they could run code, create processes and more. Recently, a new malicious PDF file was identified by ESET and Microsoft. Though it was not observed in the wild yet, it’s pretty dangerous as it exploits two previous zero day vulnerabilities: Remote code execution in Adobe Reader (CVE-2018-4990) and Privilege Escalation in Microsoft Windows (CVE-2018-8120).
The attack is carried out in 2 phases. First, a JS code th
Sentinelone
SentinelOne Detects New Malicious PDF File
blogs_sentinelone·2018-06-11·CVSS 8.8
[HIGH] SentinelOne Detects New Malicious PDF File
Documents have always been a popular attack vector. Documents, unlike executables, have been traditionally considered less suspicious and harmful. This concept made it easier for attackers using them to circumvent traditional security solutions. But, over time and with the growing scripting and macro capabilities, documents became much more similar to executables, in a sense that they could run code, create processes and more. Recently, a new malicious PDF file was identified by ESET and Microsoft. Though it was not observed in the wild yet, it’s pretty dangerous as it exploits two previous zero day vulnerabilities: Remote code execution in Adobe Reader (CVE-2018-4990) and Privilege Escalation in Microsoft Windows (CVE-2018-8120).
The attack is carried out in 2 phases. First, a JS code th
Crowdstrike
Leveraging Falcon Sandbox to Detect and Analyze Malicious PDFs Containing Zero-Day Exploits
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] Leveraging Falcon Sandbox to Detect and Analyze Malicious PDFs Containing Zero-Day Exploits
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
Crowdstrike
Leveraging Falcon Sandbox to Detect and Analyze Malicious PDFs Containing Zero-Day Exploits
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] Leveraging Falcon Sandbox to Detect and Analyze Malicious PDFs Containing Zero-Day Exploits
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand AT
arXiv
Towards Adversarial Malware Detection: Lessons Learned from PDF-based Attacks
arxiv_fulltext·2020-04-14
Towards Adversarial Malware Detection: Lessons Learned from PDF-based Attacks
Towards Adversarial Malware Detection: Lessons Learned from PDF-based Attacks
Davide Maiorca
University of Cagliari
Piazza d'Armi
Cagliari
09123
Italy
[email protected]
Battista Biggio
University of Cagliari
Piazza d'Armi
Cagliari
09123
Italy
Pluribus One
Italy
[email protected]
Giorgio Giacinto
University of Cagliari
Piazza d'Armi
Cagliari
09123
Italy
Pluribus One
Italy
[email protected]
## Abstract
Malware still constitutes a major threat in the cybersecurity landscape, also due to the widespread use of infection vectors such as documents. These infection vectors hide embedded malicious code to the victim users, facilitating the use of social engineering techniques to infect their machines.
Research showed that machine-learning algorithms provide effective
arXiv
On the Effectiveness of Type-based Control Flow Integrity
arxiv_fulltext·2020-02-14
On the Effectiveness of Type-based Control Flow Integrity
2018
2018
acmcopyright
[ACSAC '18]2018 Annual Computer Security Applications ConferenceDecember 3--7, 2018San Juan, PR, USA
2018 Annual Computer Security Applications Conference (ACSAC '18), December 3--7, 2018, San Juan, PR, USA
15.00
10.1145/3274694.3274739
978-1-4503-6569-7/18/12
On the Effectiveness of Type-based Control Flow Integrity
Reza Mirzazade farkhani
Northeastern University
[email protected]
Saman Jafari
Northeastern University
[email protected]
Sajjad Arshad
Northeastern University
[email protected]
William Robertson
Northeastern University
[email protected]
Engin Kirda
Northeastern University
[email protected]
Hamed Okhravi
MIT Lincoln Laboratory
[email protected]
## Abstract
Control flow integrity (CFI) has received significant attention in the community
http://www.securityfocus.com/bid/104167http://www.securitytracker.com/id/1040920https://helpx.adobe.com/security/products/acrobat/apsb18-09.htmlhttp://www.securityfocus.com/bid/104167http://www.securitytracker.com/id/1040920https://helpx.adobe.com/security/products/acrobat/apsb18-09.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-4990
2018-07-09
Published
2022-06-08
Added to CISA KEV
Exploited in the wild