Cyber Resilience

CVE-2018-4990

HighCISA KEVActive ExploitationEUVD Exploited

Published: 09 July 2018

Published
09 July 2018
Modified
23 October 2025
KEV Added
08 June 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.5150 98.0th percentile
Risk Priority 69 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-4990 is a high-severity Double Free (CWE-415) vulnerability in Adobe Acrobat Dc. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 2.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-16 (Memory Protection).

Deeper analysis

Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011.30079 and earlier, and 2015.006.30417 and earlier contain a double-free vulnerability tracked as CVE-2018-4990 and CWE-415. The flaw is a memory-management error that arises during handling of certain PDF documents and carries a CVSS 3.1 base score of 8.8.

An unauthenticated attacker can trigger the issue over the network by supplying a malicious PDF that a user opens in the affected application. Successful exploitation grants arbitrary code execution in the context of the current user, with high impact to confidentiality, integrity, and availability.

Adobe’s security bulletin APSB18-09, referenced at https://helpx.adobe.com/security/products/acrobat/apsb18-09.html, addresses the vulnerability through updated releases and recommends that organizations apply the patches for the supported branches as soon as possible.

EU & UK References

Vulnerability details

Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011.30079 and earlier, and 2015.006.30417 and earlier have a Double Free vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.

CWE(s)
KEV Date Added
08 June 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
acrobat dc
15.006.30060 — 15.006.30417 · 15.008.20082 — 18.011.20038 · 17.011.30059 — 17.011.30079
adobe
acrobat reader dc
15.006.30060 — 15.006.30417 · 15.008.20082 — 18.011.20038 · 17.011.30059 — 17.011.30079

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of vendor patches that eliminate the double-free flaw in Acrobat/Reader.

prevent

Employs memory-protection techniques (DEP, ASLR, etc.) that raise the bar for successful exploitation of the memory-management error.

preventdetect

Malicious-code protection mechanisms can block or alert on the specially crafted PDF used to trigger the vulnerability.

References