CVE-2021-28550: Acrobat Reader DC versions versions 2021.001.20150 (and earlier), 2020.001.30020 (and earlier) and 2017.011.30194 (and earlier) are affected by a Use After…

high8.8CVSS 3.1

AVNACLPRNUIRSUCHIHAH

KEVITW

CISA Known Exploited Vulnerabilitydue 2021-11-17

Exploited in the wild

Acrobat Reader DC versions versions 2021.001.20150 (and earlier), 2020.001.30020 (and earlier) and 2017.011.30194 (and earlier) are affected by a Use After Free vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Affected

25 ranges

Vendor	Product	Version range	Fixed in
adobe	acrobat	17.011.30059 – 17.011.30194	—
adobe	acrobat	20.001.30005 – 20.001.30020	—
adobe	acrobat_dc	15.008.20082 – 21.001.20150	—
adobe	acrobat_dc	15.008.20082 – 21.001.20149	—
adobe	acrobat_reader	17.011.30059 – 17.011.30194	—
adobe	acrobat_reader	20.001.30005 – 20.001.30020	—
adobe	acrobat_reader	unspecified – 2020.001.30020	—
adobe	acrobat_reader_dc	15.008.20082 – 21.001.20150	—
adobe	acrobat_reader_dc	15.008.20082 – 21.001.20149	—
msrc	windows_10	—	—
msrc	windows_10_version_1607	—	—
msrc	windows_10_version_1809	—	—
msrc	windows_10_version_1909	—	—
msrc	windows_10_version_2004	—	—
msrc	windows_10_version_20h2	—	—
msrc	windows_10_version_21h1	—	—
msrc	windows_7	—	—
msrc	windows_8.1	—	—
msrc	windows_rt_8.1	—	—
msrc	windows_server_2008	—	—
msrc	windows_server_2008_r2	—	—
msrc	windows_server_2012	—	—
msrc	windows_server_2012_r2	—	—
msrc	windows_server_2016	—	—
msrc	windows_server_2019	—	—

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

vulncheck8.8HIGH

cisa8.8HIGH