⚠ Actively exploited
Added to CISA KEV on 2021-11-03. Federal agencies required to patch by 2021-11-17. Required action: Apply updates per vendor instructions..

CVE-2021-28550Use After Free in Adobe Acrobat Reader

CWE-416Use After Free18 documents10 sources
Severity
8.8HIGHNVD
EPSS
32.6%
top 3.13%
CISA KEV
KEV
Added 2021-11-03
Due 2021-11-17
Exploit
Exploited in wild
Active exploitation observed
Affected products
4
Adobe Acrobat ReaderAdobe AcrobatAdobe Acrobat DC+1 more
Timeline
PublishedSep 2
KEV addedNov 3
KEV dueNov 17
Latest updateMay 24
CISA Required Action: Apply updates per vendor instructions.

Description

Acrobat Reader DC versions versions 2021.001.20150 (and earlier), 2020.001.30020 (and earlier) and 2017.011.30194 (and earlier) are affected by a Use After Free vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages5 packages

CVEListV5adobe/acrobat_readerunspecified2020.001.30020+3
NVDadobe/acrobat_reader17.011.3005917.011.30194+1
NVDadobe/acrobat_reader_dc15.008.2008221.001.20150+1
NVDadobe/acrobat17.011.3005917.011.30194+1
NVDadobe/acrobat_dc15.008.2008221.001.20150+1

🔴Vulnerability Details

3
GHSA
GHSA-865h-4rjv-52pg: Acrobat Reader DC versions versions 20212022-05-24
CVEList
Adobe Acrobat Reader use after free vulnerability could lead to arbitrary code execution2021-09-02
VulnCheck
Adobe Acrobat and Reader Use-After-Free Vulnerability2021

📋Vendor Advisories

3
CISA
Adobe Acrobat and Reader Use-After-Free Vulnerability2021-11-03
Microsoft
Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability2021-06-08
Microsoft
Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability2021-06-08

🕵️Threat Intelligence

11
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys2022-02-23
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-012021-11-09
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys2021-11-09
Krebs
Microsoft Patches Six Zero-Day Security Holes2021-06-08
Talos
Microsoft Patch Tuesday for June 2021 — Snort rules and prominent vulnerabilities2021-06-08
CVE-2021-28550 — Use After Free in Adobe Acrobat Reader | cvebase