⚠ Actively exploited
Added to CISA KEV on 2022-06-08. Federal agencies required to patch by 2022-06-22. Required action: Apply updates per vendor instructions..

CVE-2018-4990Double Free in Adobe Acrobat DC

CWE-415Double Free14 documents9 sources
Severity
8.8HIGHNVD
EPSS
51.5%
top 2.10%
CISA KEV
KEV
Added 2022-06-08
Due 2022-06-22
Exploit
Exploited in wild
Active exploitation observed
Affected products
2
Adobe Acrobat DCAdobe Acrobat Reader DC
Timeline
PublishedJul 9
KEV addedJun 8
KEV dueJun 22
CISA Required Action: Apply updates per vendor instructions.

Description

Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011.30079 and earlier, and 2015.006.30417 and earlier have a Double Free vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

NVDadobe/acrobat_reader_dc15.006.3006015.006.30417+2
NVDadobe/acrobat_dc15.006.3006015.006.30417+2

🔴Vulnerability Details

2
GHSA
GHSA-8x43-549v-7wcw: Adobe Acrobat and Reader versions 20182022-05-14
VulnCheck
Adobe Acrobat and Reader Double Free Vulnerability2018

📋Vendor Advisories

1
CISA
Adobe Acrobat and Reader Double Free Vulnerability2022-06-08

🕵️Threat Intelligence

8
Securelist
IT threat evolution Q2 2018. Statistics2018-08-06
Securelist
IT threat evolution Q2 2018. Statistics2018-08-06
Tenable
July Vulnerability of the Month: Two Zero-Days Caught in Development2018-07-31
Tenable
July Vulnerability of the Month: Two Zero-Days Caught in Development2018-07-31
Sentinelone
SentinelOne Detects New Malicious PDF File2018-06-11

📄Research Papers

2
arXiv
Towards Adversarial Malware Detection: Lessons Learned from PDF-based Attacks2020-04-14
arXiv
On the Effectiveness of Type-based Control Flow Integrity2020-02-14