Cyber Resilience

CVE-2013-2729

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 16 May 2013

Published
16 May 2013
Modified
22 April 2026
KEV Added
28 March 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8961 99.6th percentile
Risk Priority 93 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2013-2729 is a critical-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Adobe Acrobat. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Deeper analysis

An integer overflow vulnerability, tracked as CVE-2013-2729 and assigned CWE-190, affects Adobe Reader and Acrobat versions 9.x prior to 9.5.5, 10.x prior to 10.1.7, and 11.x prior to 11.0.03. The flaw permits arbitrary code execution through unspecified vectors and is distinct from the related issue CVE-2013-2727. It carries a CVSS 3.1 base score of 9.8, reflecting network attack vectors that require no authentication or user interaction.

Remote attackers can exploit the condition to execute arbitrary code on affected systems, resulting in full compromise of confidentiality, integrity, and availability. The high severity stems from the ability to trigger the overflow without local access or elevated privileges, enabling direct impact on any exposed installation that processes malicious input.

Adobe security bulletin APSB13-15 and corresponding vendor advisories, including Red Hat RHSA-2013-0826, openSUSE and Gentoo updates, and OVAL definitions, address mitigation through application of the listed patches that update the affected Reader and Acrobat releases to the fixed versions. Organizations are advised to apply these updates promptly to eliminate the vulnerable code paths.

EU & UK References

Vulnerability details

Integer overflow in Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2013-2727.

CWE(s)
KEV Date Added
28 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
acrobat
9.0 — 9.5.5 · 10.0 — 10.1.7 · 11.0 — 11.0.03
adobe
acrobat reader
9.0 — 9.5.5 · 10.0 — 10.1.7 · 11.0 — 11.0.03
suse
linux enterprise desktop
10, 11
redhat
enterprise linux desktop
6.0
redhat
enterprise linux eus
5.9, 6.4
redhat
enterprise linux server
6.0
redhat
enterprise linux server aus
5.9, 6.4
redhat
enterprise linux workstation
6.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of vendor patches that eliminate the integer-overflow code paths in Adobe Reader/Acrobat.

prevent

Enforces configuration settings that restrict systems to only approved, patched versions of Acrobat/Reader.

detect

Requires scanning to discover installations of the vulnerable 9.x/10.x/11.x releases before exploitation.

References