Cyber Resilience

CVE-2013-3346

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 30 August 2013

Published
30 August 2013
Modified
21 April 2026
KEV Added
03 March 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8956 99.6th percentile
Risk Priority 93 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2013-3346 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Adobe Acrobat. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Deeper analysis

Adobe Reader and Acrobat versions 9.x prior to 9.5.5, 10.x prior to 10.1.7, and 11.x prior to 11.0.03 contain a memory corruption vulnerability tracked as CVE-2013-3346 and assigned CWE-787. The flaw permits arbitrary code execution or denial of service through unspecified vectors and is distinct from the numerous other memory-safety issues addressed in the same Adobe release cycle. Its CVSS 3.1 base score of 9.8 reflects network-accessible attack complexity that requires no authentication or user interaction.

An unauthenticated remote attacker can supply a crafted PDF document that triggers the flaw when opened in the affected reader or editor, resulting in out-of-bounds memory writes that may be leveraged for code execution under the context of the current user or for application crashes.

Adobe Security Bulletin APSB13-15, referenced by the supplied OVAL definitions, resolves the issue by updating installations to the fixed versions listed above; organizations are advised to apply those patches promptly and to restrict opening of untrusted PDF files until remediation is complete. No public details on observed in-the-wild exploitation appear in the provided references.

EU & UK References

Vulnerability details

Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-2718, CVE-2013-2719, CVE-2013-2720, CVE-2013-2721, CVE-2013-2722,…

more

CVE-2013-2723, CVE-2013-2725, CVE-2013-2726, CVE-2013-2731, CVE-2013-2732, CVE-2013-2734, CVE-2013-2735, CVE-2013-2736, CVE-2013-3337, CVE-2013-3338, CVE-2013-3339, CVE-2013-3340, and CVE-2013-3341.

CWE(s)
KEV Date Added
03 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
acrobat
9.0 — 9.5.5 · 10.0 — 10.1.7 · 11.0 — 11.0.03
adobe
acrobat reader
9.0 — 9.5.5 · 10.0 — 10.1.7 · 11.0 — 11.0.03

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of vendor patches that eliminate the memory-corruption flaw in Adobe Reader/Acrobat.

prevent

Enforces OS-level memory protections (ASLR, DEP, guard pages) that make successful exploitation of the out-of-bounds write far more difficult.

prevent

Requires robust validation and sanitization of untrusted PDF input before it is processed by the vulnerable parser.

References