Cyber Resilience

CVE-2021-28550

HighCISA KEVActive ExploitationEUVD Exploited

Published: 02 September 2021

Published
02 September 2021
Modified
23 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.3072 96.8th percentile
Risk Priority 56 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-28550 is a high-severity Use After Free (CWE-416) vulnerability in Adobe Acrobat Dc. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 3.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).

Deeper analysis

Acrobat Reader DC versions 2021.001.20150 and earlier, 2020.001.30020 and earlier, and 2017.011.30194 and earlier are affected by a Use After Free vulnerability (CWE-416) with a CVSS 3.1 score of 8.8. The flaw resides in the PDF handling components of these releases and can result in memory corruption when specially crafted content is processed.

An unauthenticated attacker can leverage the vulnerability for arbitrary code execution in the context of the current user. Successful exploitation requires the victim to open a malicious file, after which the attacker gains control within the reader's process.

Adobe security bulletin APSB21-29 addresses the issue and supplies updated builds that remediate the use-after-free condition. The vulnerability is also listed in CISA's catalog of known exploited vulnerabilities, confirming observed in-the-wild activity.

EU & UK References

Vulnerability details

Acrobat Reader DC versions versions 2021.001.20150 (and earlier), 2020.001.30020 (and earlier) and 2017.011.30194 (and earlier) are affected by a Use After Free vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the…

more

current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
acrobat dc
15.008.20082 — 21.001.20150 · 15.008.20082 — 21.001.20149
adobe
acrobat reader dc
15.008.20082 — 21.001.20150 · 15.008.20082 — 21.001.20149
adobe
acrobat
17.011.30059 — 17.011.30194 · 20.001.30005 — 20.001.30020
adobe
acrobat reader
17.011.30059 — 17.011.30194 · 20.001.30005 — 20.001.30020

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the Adobe patches that eliminate the use-after-free flaw before a malicious PDF can be exploited.

preventdetect

Malicious-code detection mechanisms can inspect or sandbox incoming PDF files that trigger the use-after-free condition.

prevent

Running Acrobat Reader under least-privilege accounts limits the impact of arbitrary code execution that results from successful exploitation.

References