CVE-2018-4990
Published: 09 July 2018
Summary
CVE-2018-4990 is a high-severity Double Free (CWE-415) vulnerability in Adobe Acrobat Dc. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 2.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-16 (Memory Protection).
Deeper analysis
Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011.30079 and earlier, and 2015.006.30417 and earlier contain a double-free vulnerability tracked as CVE-2018-4990 and CWE-415. The flaw is a memory-management error that arises during handling of certain PDF documents and carries a CVSS 3.1 base score of 8.8.
An unauthenticated attacker can trigger the issue over the network by supplying a malicious PDF that a user opens in the affected application. Successful exploitation grants arbitrary code execution in the context of the current user, with high impact to confidentiality, integrity, and availability.
Adobe’s security bulletin APSB18-09, referenced at https://helpx.adobe.com/security/products/acrobat/apsb18-09.html, addresses the vulnerability through updated releases and recommends that organizations apply the patches for the supported branches as soon as possible.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2018-16775
Vulnerability details
Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011.30079 and earlier, and 2015.006.30417 and earlier have a Double Free vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
- CWE(s)
- KEV Date Added
- 08 June 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of vendor patches that eliminate the double-free flaw in Acrobat/Reader.
Employs memory-protection techniques (DEP, ASLR, etc.) that raise the bar for successful exploitation of the memory-management error.
Malicious-code protection mechanisms can block or alert on the specially crafted PDF used to trigger the vulnerability.