What is Adobe Acrobat & Reader?
Adobe Acrobat and Adobe Acrobat Reader are the world's most widely deployed PDF applications, used by hundreds of millions of users globally for creating, editing, signing, and viewing PDF documents. Because PDFs are a universal document format accepted by virtually every organization — in email attachments, web downloads, and enterprise workflows — Acrobat and Reader are prime attack-delivery targets. A malicious PDF capable of triggering code execution requires only that a victim open a file, making these vulnerabilities extremely operationally attractive.
Overview
CVE-2020-9715 is a use-after-free (UAF) vulnerability in Adobe Acrobat and Reader's PDF parsing engine. When a specially crafted PDF document triggers the vulnerable code path, the application references a memory region that has already been freed. An attacker who controls the heap layout can place malicious data in the freed region, redirecting code execution to attacker-controlled shellcode running with the privileges of the user viewing the PDF.
Affected Versions
| Product Track | Vulnerable Version | Fixed Version |
|---|---|---|
| Acrobat DC / Reader DC (Continuous) | 2020.009.20074 and earlier | 2020.012.20041 |
| Acrobat 2017 / Reader 2017 (Classic) | 017.011.30171 and earlier | 017.011.30175 |
| Acrobat 2015 / Reader 2015 (Classic) | 015.006.30523 and earlier | 015.006.30527 |
Both Windows and macOS platforms are affected across all tracks.
Technical Details
Root cause: Use-After-Free (CWE-416)
A use-after-free occurs when a program frees a chunk of heap memory but retains a pointer to that location, then subsequently uses the dangling pointer. In CVE-2020-9715, the vulnerable code path is triggered during the processing of specific PDF document structures or JavaScript object interactions within Acrobat's rendering engine.
Exploitation mechanics:
- Trigger the free: Specially crafted PDF content causes the vulnerable object to be prematurely freed
- Heap grooming: The attacker's PDF uses additional objects (e.g., JavaScript
ArrayBufferor DOM-like objects) to reclaim the freed memory slot and place attacker-controlled data - Dangling pointer dereference: The application uses the original (now dangling) pointer, reading attacker-controlled data as if it were a legitimate object
- Code execution: By controlling the data at the freed address — particularly virtual function table (vtable) pointers — the attacker redirects execution to their shellcode
Attack characteristics:
- Authentication required: None
- Attack complexity: Low — well-understood heap manipulation techniques
- User interaction: Required — victim must open the malicious PDF
- Platform: Both Windows and macOS
The Zero Day Initiative published a detailed exploitation write-up in September 2020, providing a full technical breakdown of the heap grooming approach and vtable hijacking used to achieve reliable code execution.
Exploitation Context
Adobe UAF vulnerabilities in Acrobat are a perennial target for exploit kit authors, nation-state actors, and commodity malware campaigns. The PDF delivery mechanism is highly effective in phishing and watering-hole attacks because victims routinely open PDF attachments without hesitation.
The CISA KEV listing (April 2026) indicates ongoing exploitation activity — consistent with the pattern of threat actors targeting organizations running outdated Acrobat installations, particularly in sectors where Acrobat 2015 or 2017 Classic tracks were deployed and not updated.
Remediation
- Update Adobe Acrobat and Reader immediately to the fixed version for your track:
- Acrobat DC / Reader DC: update to 2020.012.20041 or later
- Acrobat 2017: update to 017.011.30175 or later
- Acrobat 2015: update to 015.006.30527 or later (note: 2015 Classic is end-of-life — upgrade to a supported track)
- Enable automatic updates in Adobe Acrobat/Reader:
Help → Check for Updates → Automatically install updates - Disable JavaScript in Acrobat as a defense-in-depth measure for environments that cannot patch immediately:
Edit → Preferences → JavaScript → uncheck "Enable Acrobat JavaScript" - Enable Protected View for files from the internet/email:
Edit → Preferences → Security (Enhanced) → Enable Protected View for all files - Consider deploying Microsoft Defender Application Guard for Office/PDF viewing in high-risk environments
- Audit legacy installations — identify and upgrade any deployments of Acrobat 2015, which reached end-of-life in October 2020 and will not receive further patches
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2020-9715 |
| Vendor / Product | Adobe — Acrobat |
| NVD Published | 2020-08-19 |
| NVD Last Modified | 2026-04-13 |
| CVSS 3.1 Score | 7.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-416 — Use After Free |
| CISA KEV Added | 2026-04-13 |
| CISA KEV Deadline | 2026-04-27 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2020-08-11 | Adobe Security Bulletin APSB20-48 released; patches available for all affected tracks |
| 2020-08-19 | CVE-2020-9715 published on NVD |
| 2020-09-02 | Zero Day Initiative publishes detailed exploitation write-up for CVE-2020-9715 |
| 2026-04-13 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2026-04-27 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2020-9715 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Adobe Security Bulletin APSB20-48 | Vendor Advisory / Patch |
| ZDI Blog — Exploiting a Use-After-Free in Adobe Reader | Security Research |
| CIS Advisory — APSB20-48 | Third-Party Advisory |
| CWE-416 — Use After Free | Weakness Classification |