DeafNews
// 3 ZERO-DAY · 3 CVE · 2 EXPLOIT IN THE LAST 24H
Cybersecurity CRITICAL

Adobe Acrobat Reader: UAF in Annotation Parser Enables RCE via Malicious PDF

Published: Updated: By DeafSuite team 5 min read Cybersecurity
Share
WhatsApp Facebook X (Twitter) LinkedIn Reddit Telegram Email
CVE-2026-27220: use-after-free in Adobe Acrobat Reader DC's Annotation parser, CVSS 7.8. Patch available, no known in-the-wild exploits.

On June 10, 2026, Adobe released bulletin APSB26-26 addressing CVE-2026-27220, a use-after-free vulnerability in Acrobat Reader DC's Annotation object parser that allows arbitrary code execution through opening specially crafted PDF files. The discovery, coordinated by the TrendAI Zero Day Initiative, confirms that the PDF format remains a privileged attack vector despite decades of hardening the world's most widely deployed viewer.

Key Takeaways
  • CVE-2026-27220 is a use-after-free in Adobe Acrobat Reader DC's handling of Annotation objects, with a CVSS 7.8 HIGH score per the official CVE record
  • Code execution occurs in the context of the current process and requires user interaction: opening a malicious PDF or visiting a malicious web page
  • Affected versions include the 24.001.30307, 24.001.30308, 25.001.21265 series and earlier; patches bring versions to 25.001.21288 (Continuous) and 24.001.30356 (Classic 2024)
  • Adobe is not aware of in-the-wild exploits; coordinated disclosure occurred 128 days after researcher Mark Vincent Yason's initial report

The Mechanism: Annotation Objects Without Validation

The flaw resides specifically in the PDF parser's handling of Annotation objects. According to advisory ZDI-26-355, published June 10, 2026 with coordinated public release, the issue stems from the lack of validating an object's existence before the parser performs operations on it. This condition creates a use-after-free: a pointer references already-freed memory, opening the door to execution flow manipulation.

An attacker can exploit this condition to execute arbitrary code in the context of the running process. Attack complexity is low: the vector AV:L/AC:L/PR:N/UI:R/S:U per CVSS 3.1 indicates local access, low complexity, no privileges required, but user interaction is required. Impact on integrity, confidentiality, and availability is all rated HIGH.

"The specific flaw exists within the handling of Annotation objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object." — ZDI Advisory ZDI-26-355

Versions in Scope: From Continuous to Classic 2024

Per the official CVE-2026-27220 record and vendor advisory, affected versions are those up to 25.001.21265 for the Continuous track and up to 24.001.30307 and 24.001.30308 for the Classic 2024 track on Windows and Mac. The reach is significant: Acrobat Reader DC is deployed on hundreds of millions of enterprise and consumer endpoints.

Adobe has distributed patches through the usual automatic update channels. The fixed version for the Continuous track is 25.001.21288; for Classic 2024, 24.001.30356. Bulletin APSB26-26 collects the fix for this and other vulnerabilities, with attribution to researcher Mark Vincent Yason (markyason.github.io) in collaboration with TrendAI Zero Day Initiative.

Disclosure: 128 Days From Report to Patch

The ZDI timeline documents a standard coordinated disclosure: initial report dates to February 3, 2026, public release to June 10, 2026. This 128-day interval falls within typical vendor-coordination windows, but leaves an exposure window managed through informational embargo.

On the active threat front, Adobe explicitly states: "Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates". This statement, present in bulletin APSB26-26, does not rule out post-disclosure weaponization, but documents the absence of evidence at time of publication.

The ZDI advisory does not name the researcher; full attribution appears only in the Adobe bulletin. This discrepancy between primary sources is a limitation of the dossier that does not invalidate the technical details, but documents how the discovery's provenance emerges in fragmented fashion.

What to Do Now

  • Verify the installed version of Adobe Acrobat Reader DC: Help > About. If the build is equal to or lower than 25.001.21265 (Continuous) or 24.001.30308/24.001.30307 (Classic 2024), an update is required
  • Apply patch APSB26-26 through Adobe's official distribution channel: automatic update is the primary vehicle indicated by the vendor for both release tracks
  • Reduce attack surface from external documents: limit opening PDFs from unverified sources, given the user interaction requirement for exploitation
  • Monitor execution logs for anomalies in the AcroRd32.exe/Acrobat.exe process corresponding to document opens from external origins

The Longevity of the PDF Vector: A Structural Problem

The recurrence of use-after-free flaws in Adobe's PDF parser is no isolated accident. The PDF format is one of the most complex in circulation: annotations, JavaScript, forms, digital signatures, 3D, multimedia — every feature added over the years has exponentially expanded the parsing attack surface. The result is that the world's most widely deployed viewer continues to carry vulnerabilities rated HIGH with low attack complexity.

The fact that this specific flaw requires user interaction does not diminish its danger in enterprise contexts: PDF is the standard format for invoices, contracts, reports, institutional communications. The combination of a seemingly legitimate attachment and a parser with insufficient validation on Annotation objects remains one of the most reliable spear-phishing vectors for threat actors.

The patch is available, disclosure was coordinated, no in-the-wild exploit is documented. But the structure of the problem — complex parser, legacy features, vast attack surface — suggests the next ZDI advisory on Adobe Reader with a progressive ID will not be the last.

Frequently Asked Questions

Is it necessary to uninstall Adobe Reader?

The dossier does not document uninstallation recommendations. Adobe has released specific patches; updating to versions 25.001.21288 or 24.001.30356 is the vendor-indicated measure.

Does the vulnerability require elevated privileges?

No. The CVSS vector indicates PR:N (Privileges Required: None). Execution occurs in the context of the current user process, with no need for preliminary escalation.

Why is the CVSS score 7.8 and not Critical?

The official CVE-2026-27220 record assigns CVSS 7.8 HIGH. Adobe classifies the impact as Critical in its internal terminology, but the standardized score is 7.8. This distinction is not a numerical discrepancy: they are different assessment scales, both documented in the dossier.

Sources

Information verified against cited sources and current as of publication.

Sources

Sources and references
  1. zerodayinitiative.com
  2. cve.org
  3. helpx.adobe.com