Acrobat Reader DC Use-After-Free Vulnerability Could Lead To Arbitrary Code Execution
Description
Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by a Use After Free vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Use After Free in Adobe Acrobat Reader DC allows unauthenticated attackers to execute arbitrary code by tricking users into opening a malicious file.
CVE-2021-21028 is a Use After Free vulnerability in Adobe Acrobat Reader DC versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier), and 2017.011.30188 (and earlier). The flaw arises from improper memory management when handling crafted files, leading to a use-after-free condition that can be exploited to corrupt memory.
Exploitation requires user interaction: a victim must open a malicious file. An unauthenticated attacker can deliver the file via email, web download, or other means. No authentication is needed, making the attack surface broad.
If successfully exploited, the vulnerability allows arbitrary code execution in the context of the current user. An attacker could gain the same privileges as the logged-on user, potentially leading to system compromise, data theft, or further attacks.
Adobe has addressed this issue in security updates for affected versions. Users should upgrade to the latest patched releases to mitigate the risk. No workarounds are available for this vulnerability [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.adobe.acs:acs-aem-commonsMaven | < 4.10.0 | 4.10.0 |
Affected products
3- Range: <=2020.013.20074 || <=2020.001.30018 || <=2017.011.30188
- Range: unspecified
Patches
114d769c86606fixes to page compare and version compare tools
2 files changed · +4 −2
ui.apps/src/main/content/jcr_root/apps/acs-commons/components/utilities/page-compare/page-compare.jsp+2 −1 modified@@ -23,6 +23,7 @@ <%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %> <%@taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt" %> <%@taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %> +<%@taglib prefix="xss" uri="http://www.adobe.com/consulting/acs-aem-commons/xss" %> <cq:defineObjects /> <sling:adaptTo adaptable="${slingRequest}" adaptTo="com.adobe.acs.commons.wcm.comparisons.model.PageCompareModel" var="model"/> @@ -67,7 +68,7 @@ <div class="page" role="main" ng-controller="MainCtrl" - ng-init="app.resource = '${model.pathA}'; app.resourceB = '${model.pathB}'; app.home = '${request.contextPath}${currentPage.path}.html'; app.a = '${model.versionA}'; app.b = '${model.versionB}'; init();"> + ng-init="app.resource = '${xss:encodeForJSString(xssAPI, model.pathA)}'; app.resourceB = '${xss:encodeForJSString(xssAPI, model.pathB)}'; app.home = '${request.contextPath}${currentPage.path}.html'; app.a = '${model.versionA}'; app.b = '${model.versionB}'; init();"> <div class="content"> <div class="content-container">
ui.apps/src/main/content/jcr_root/apps/acs-commons/components/utilities/version-compare/version-compare.jsp+2 −1 modified@@ -4,6 +4,7 @@ <%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %> <%@taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt" %> <%@taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %> +<%@taglib prefix="xss" uri="http://www.adobe.com/consulting/acs-aem-commons/xss" %> <cq:defineObjects /> <sling:adaptTo var="model" adaptable="${slingRequest}" adaptTo="com.adobe.acs.commons.version.model.EvolutionModel"/> @@ -28,7 +29,7 @@ <div class="page" role="main" ng-controller="MainCtrl" - ng-init="app.resource = '${model.resourcePath}'; app.home = '${request.contextPath}${currentPage.path}.html'; init();"> + ng-init="app.resource = '${xss:encodeForJSString(xssAPI, model.resourcePath)}'; app.home = '${request.contextPath}${currentPage.path}.html'; init();"> <div ng-show="notifications.length > 0" class="notifications">
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-f92j-qf46-p6vmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-21028ghsaADVISORY
- github.com/Adobe-Consulting-Services/acs-aem-commons/commit/14d769c86606c4ce9a93c47a19f87e1ad72788d6ghsaWEB
- github.com/Adobe-Consulting-Services/acs-aem-commons/security/advisories/GHSA-f92j-qf46-p6vmghsaWEB
- helpx.adobe.com/security/products/acrobat/apsb21-09.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.