CVE-2013-2729
Published: 16 May 2013
Summary
CVE-2013-2729 is a critical-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Adobe Acrobat. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).
Deeper analysis
An integer overflow vulnerability, tracked as CVE-2013-2729 and assigned CWE-190, affects Adobe Reader and Acrobat versions 9.x prior to 9.5.5, 10.x prior to 10.1.7, and 11.x prior to 11.0.03. The flaw permits arbitrary code execution through unspecified vectors and is distinct from the related issue CVE-2013-2727. It carries a CVSS 3.1 base score of 9.8, reflecting network attack vectors that require no authentication or user interaction.
Remote attackers can exploit the condition to execute arbitrary code on affected systems, resulting in full compromise of confidentiality, integrity, and availability. The high severity stems from the ability to trigger the overflow without local access or elevated privileges, enabling direct impact on any exposed installation that processes malicious input.
Adobe security bulletin APSB13-15 and corresponding vendor advisories, including Red Hat RHSA-2013-0826, openSUSE and Gentoo updates, and OVAL definitions, address mitigation through application of the listed patches that update the affected Reader and Acrobat releases to the fixed versions. Organizations are advised to apply these updates promptly to eliminate the vulnerable code paths.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2013-2668
Vulnerability details
Integer overflow in Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2013-2727.
- CWE(s)
- KEV Date Added
- 28 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of vendor patches that eliminate the integer-overflow code paths in Adobe Reader/Acrobat.
Enforces configuration settings that restrict systems to only approved, patched versions of Acrobat/Reader.
Requires scanning to discover installations of the vulnerable 9.x/10.x/11.x releases before exploitation.