CVE-2011-2462
Published: 07 December 2011
Summary
CVE-2011-2462 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Adobe Acrobat Reader. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
The vulnerability CVE-2011-2462 is an unspecified flaw in the U3D component of Adobe Reader and Acrobat 10.1.1 and earlier on Windows and Mac OS X, as well as Adobe Reader 9.x through 9.4.6 on UNIX. It is associated with CWE-787 and results in memory corruption, reflected in its CVSS 3.1 score of 9.8.
Remote attackers can exploit the issue via unknown vectors to execute arbitrary code or cause a denial of service. The vulnerability was exploited in the wild in December 2011.
Adobe security advisories APSA11-04, APSB11-30, and APSB12-01, along with corresponding openSUSE updates, address the flaw through vendor-supplied patches for the affected Reader and Acrobat releases. Organizations are advised to apply these updates promptly to eliminate exposure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2011-2451
Vulnerability details
Unspecified vulnerability in the U3D component in Adobe Reader and Acrobat 10.1.1 and earlier on Windows and Mac OS X, and Adobe Reader 9.x through 9.4.6 on UNIX, allows remote attackers to execute arbitrary code or cause a denial of…
more
service (memory corruption) via unknown vectors, as exploited in the wild in December 2011.
- CWE(s)
- KEV Date Added
- 08 June 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of vendor patches that remediate the U3D memory-corruption flaw in Adobe Reader/Acrobat.
Requires integrity verification of software/firmware to ensure only patched, untampered Adobe binaries are executed.
Mandates scanning to discover unpatched instances of Adobe Reader/Acrobat vulnerable to CVE-2011-2462.