CVE-2023-21608
Published: 18 January 2023
Summary
CVE-2023-21608 is a high-severity Use After Free (CWE-416) vulnerability in Adobe Acrobat Dc. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 1.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-3 (Malicious Code Protection).
Deeper analysis
Adobe Acrobat Reader versions 22.003.20282 and earlier, 22.003.20281 and earlier, and 20.005.30418 and earlier contain a Use After Free vulnerability tracked as CWE-416. The flaw can lead to arbitrary code execution in the context of the current user when triggered.
An attacker can exploit the issue by supplying a malicious file that the victim must open. Successful exploitation requires no privileges and occurs locally with user interaction, resulting in full control over the affected process under the CVSS 7.8 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.
Adobe's advisory APSB23-01 addresses the issue with updated builds, and the vulnerability appears in CISA's catalog of known exploited vulnerabilities. The associated EPSS score has reached a peak of 0.8547 with a current value of 0.7747, indicating sustained exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-25775
Vulnerability details
Adobe Acrobat Reader versions 22.003.20282 (and earlier), 22.003.20281 (and earlier) and 20.005.30418 (and earlier) are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue…
more
requires user interaction in that a victim must open a malicious file.
- CWE(s)
- KEV Date Added
- 10 October 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor patch from APSB23-01 to eliminate the use-after-free code paths in Acrobat Reader before exploitation can occur.
Malicious-code protection mechanisms can inspect or sandbox incoming PDFs and block execution of the specially crafted file that triggers the vulnerability.
Running Acrobat Reader under least-privilege accounts limits the impact of arbitrary code execution to the privileges of the current user after the malicious file is opened.