Cyber Resilience

CVE-2021-21017

HighCISA KEVActive ExploitationEUVD Exploited

Published: 11 February 2021

Published
11 February 2021
Modified
23 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.9020 99.6th percentile
Risk Priority 92 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-21017 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Adobe Acrobat. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

Acrobat Reader DC versions 2020.013.20074 and earlier, 2020.001.30018 and earlier, and 2017.011.30188 and earlier contain a heap-based buffer overflow vulnerability tracked as CVE-2021-21017 and associated with CWE-122 and CWE-787. The flaw resides in the PDF handling components of these releases and carries a CVSS 3.1 score of 8.8.

An unauthenticated attacker can exploit the issue by supplying a malicious file that triggers the overflow when opened, resulting in arbitrary code execution under the privileges of the current user. Successful exploitation therefore requires the victim to interact with the crafted document, typically delivered via email or a web page.

Adobe has published remediation guidance in security bulletin APSB21-09, and the vulnerability appears in CISA’s catalog of known exploited vulnerabilities, confirming observed in-the-wild use.

EU & UK References

Vulnerability details

Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by a heap-based buffer overflow vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the…

more

current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
acrobat
17.0 — 17.011.30188 · 20.0 — 20.001.30018
adobe
acrobat dc
≤ 20.013.20074
adobe
acrobat reader
17.0 — 17.011.30188 · 20.0 — 20.001.300183
adobe
acrobat reader dc
≤ 20.013.20074

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the Adobe APSB21-09 patch that eliminates the heap buffer overflow in PDF parsing.

prevent

Enforces memory protections (ASLR, DEP, guard pages) that block exploitation of the CWE-122/CWE-787 overflow when a malicious PDF is opened.

prevent

Requires validation of PDF input streams and object lengths, directly addressing the missing bounds checks that allow the overflow.

References