CVE-2013-3346
Published: 30 August 2013
Summary
CVE-2013-3346 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Adobe Acrobat. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).
Deeper analysis
Adobe Reader and Acrobat versions 9.x prior to 9.5.5, 10.x prior to 10.1.7, and 11.x prior to 11.0.03 contain a memory corruption vulnerability tracked as CVE-2013-3346 and assigned CWE-787. The flaw permits arbitrary code execution or denial of service through unspecified vectors and is distinct from the numerous other memory-safety issues addressed in the same Adobe release cycle. Its CVSS 3.1 base score of 9.8 reflects network-accessible attack complexity that requires no authentication or user interaction.
An unauthenticated remote attacker can supply a crafted PDF document that triggers the flaw when opened in the affected reader or editor, resulting in out-of-bounds memory writes that may be leveraged for code execution under the context of the current user or for application crashes.
Adobe Security Bulletin APSB13-15, referenced by the supplied OVAL definitions, resolves the issue by updating installations to the fixed versions listed above; organizations are advised to apply those patches promptly and to restrict opening of untrusted PDF files until remediation is complete. No public details on observed in-the-wild exploitation appear in the provided references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2013-3282
Vulnerability details
Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-2718, CVE-2013-2719, CVE-2013-2720, CVE-2013-2721, CVE-2013-2722,…
more
CVE-2013-2723, CVE-2013-2725, CVE-2013-2726, CVE-2013-2731, CVE-2013-2732, CVE-2013-2734, CVE-2013-2735, CVE-2013-2736, CVE-2013-3337, CVE-2013-3338, CVE-2013-3339, CVE-2013-3340, and CVE-2013-3341.
- CWE(s)
- KEV Date Added
- 03 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of vendor patches that eliminate the memory-corruption flaw in Adobe Reader/Acrobat.
Enforces OS-level memory protections (ASLR, DEP, guard pages) that make successful exploitation of the out-of-bounds write far more difficult.
Requires robust validation and sanitization of untrusted PDF input before it is processed by the vulnerable parser.