CVE-2021-21017
Published: 11 February 2021
Summary
CVE-2021-21017 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Adobe Acrobat. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
Acrobat Reader DC versions 2020.013.20074 and earlier, 2020.001.30018 and earlier, and 2017.011.30188 and earlier contain a heap-based buffer overflow vulnerability tracked as CVE-2021-21017 and associated with CWE-122 and CWE-787. The flaw resides in the PDF handling components of these releases and carries a CVSS 3.1 score of 8.8.
An unauthenticated attacker can exploit the issue by supplying a malicious file that triggers the overflow when opened, resulting in arbitrary code execution under the privileges of the current user. Successful exploitation therefore requires the victim to interact with the crafted document, typically delivered via email or a web page.
Adobe has published remediation guidance in security bulletin APSB21-09, and the vulnerability appears in CISA’s catalog of known exploited vulnerabilities, confirming observed in-the-wild use.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-8423
Vulnerability details
Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by a heap-based buffer overflow vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the…
more
current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the Adobe APSB21-09 patch that eliminates the heap buffer overflow in PDF parsing.
Enforces memory protections (ASLR, DEP, guard pages) that block exploitation of the CWE-122/CWE-787 overflow when a malicious PDF is opened.
Requires validation of PDF input streams and object lengths, directly addressing the missing bounds checks that allow the overflow.