Adobe Acrobat Reader DC Remote Code Execution Vulnerability
• glitchnsec
CVE: CVE-2021-28639
CVSS3.1:
Vendor: Adobe Systems
CWEs: Affected Products:
CVSS3.1:
9.6, CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Vendor: Adobe Systems
CWEs: Affected Products:
- Adobe Acrobat Reader DC
Other Advisories:
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28639
- https://helpx.adobe.com/ca/security/products/acrobat/apsb21-51.html
- httpS://www.zerodayinitiative.com/advisories/ZDI-21-813/
Description
This vulnerability is due to an unchecked assumption about the state of an object in memory when processing the WM_SETFOCUS message. The object may be destroyed and subsequently re-accessed leading to a use after free condition.
Fixed Versions:
- Adobe Acrobat Reader DC 2021.005.20058
- Adobe Acrobat Reader 2020 (Classic) 2020.004.30006
- Adobe Acrobat Reader 2017 (Classic) 2017.011.30199
Disclosure Timeline
- 2021-05-12 - Vulnerability reported to ZDI
- 2021-05-13 - Vulnerability reported to vendor by ZDI
- 2021-07-13 - Coordinated public release of advisory