Adobe Acrobat Reader: Three Memory Corruption and Disclosure Flaws Patched Together
Key findings • Three Adobe Acrobat Reader vulnerabilities disclosed on June 23, 2026, including one for arbitrary code execution. • Two out-of-bounds read vulnerabilities could lead to sensit…

Key findings
- Three Adobe Acrobat Reader vulnerabilities disclosed on June 23, 2026, including one for arbitrary code execution.
- Two out-of-bounds read vulnerabilities could lead to sensitive memory disclosure.
- Exploitation requires users to open specially crafted documents.
- Affected versions include multiple releases of Acrobat Reader up to 2020.
- Patches are available; users should update promptly.
On June 23, 2026, Adobe released security updates addressing three vulnerabilities in Acrobat Reader. The batch of CVEs, disclosed on the same day, includes one memory corruption flaw leading to arbitrary code execution and two memory disclosure vulnerabilities. These issues could allow attackers to execute code or reveal sensitive information if a user opens a specially crafted document.
The vulnerabilities are categorized as follows:
Memory Corruption and Disclosure
- **CVE-2020-9695**: This vulnerability is an out-of-bounds write (CWE-787) in Acrobat Reader. Successful exploitation could lead to arbitrary code execution within the context of the current user. This requires the user to interact by opening a malicious file. Affected versions include 2020.009.20074, 2020.001.30002, 2017.011.30171, 2015.006.30523, and earlier.
- **CVE-2020-9711**: This is an out-of-bounds read (CWE-125) vulnerability in Acrobat Reader. It could allow an attacker to disclose sensitive memory contents. Exploitation also requires user interaction, such as opening a malicious document. The affected versions are the same as for CVE-2020-9695.
- **CVE-2020-9713**: Another out-of-bounds read (CWE-125) vulnerability, this one affects both Adobe Acrobat and Reader. Similar to CVE-2020-9711, it could lead to the disclosure of sensitive memory. Affected versions include 2020.009.20074 and earlier, 2020.001.30002, 2017.011.30171 and earlier, and 2015.006.30523 and earlier.
Adobe has provided patches for these vulnerabilities. Users are strongly advised to update their Acrobat Reader installations to the latest versions to mitigate the risks associated with these security flaws. The timely patching of these issues is crucial to prevent potential exploitation that could compromise user data and system security.
This batch of vulnerabilities underscores the importance of keeping PDF reader software up-to-date, as memory corruption and read vulnerabilities remain a common attack vector for malicious actors seeking to gain unauthorized access or information. Users should remain vigilant and apply security updates promptly.