CVE-2026-27220
Published: 10 March 2026
Summary
CVE-2026-27220 is a high-severity Use After Free (CWE-416) vulnerability in Apple Macos. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 11.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates identification, reporting, and correction of software flaws like this Use After Free vulnerability through timely patching of affected Acrobat Reader versions.
Implements memory protection safeguards such as DEP and ASLR that prevent unauthorized code execution from Use After Free exploits in PDF processing.
Deploys malicious code protection mechanisms at system entry points to scan and block specially crafted malicious PDF files targeting the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in Acrobat Reader PDF processing enables client-side RCE (T1203) when a user opens a malicious PDF (T1204.002).
NVD Description
Acrobat Reader versions 24.001.30307, 24.001.30308, 25.001.21265 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a…
more
victim must open a malicious file.
Deeper analysisAI
CVE-2026-27220 is a Use After Free vulnerability (CWE-416) affecting Adobe Acrobat Reader versions 24.001.30307, 24.001.30308, 25.001.21265, and earlier. The flaw occurs in the software's processing of PDF files and can lead to arbitrary code execution in the context of the current user. It has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high impact potential with low complexity but requiring local access and user interaction.
Exploitation requires an attacker to deliver a specially crafted malicious PDF file to a target system, tricking the victim into opening it with a vulnerable version of Acrobat Reader. No special privileges are needed (PR:N), and the attack complexity is low (AC:L), making it feasible for attackers with local access to the victim's machine. Successful exploitation allows arbitrary code execution with the privileges of the current user, potentially enabling full system compromise, data theft, or persistence if the user has elevated rights.
Adobe has published Security Bulletin APSB26-26 at https://helpx.adobe.com/security/products/acrobat/apsb26-26.html, which provides details on affected versions and recommends applying the latest security updates to mitigate the vulnerability. Practitioners should prioritize patching Acrobat Reader installations and advise users against opening untrusted PDF files.
Details
- CWE(s)