Search
On this page ▾
CVE-2014-0546 — Adobe Reader and Acrobat Sandbox Bypass Vulnerability

CVE-2014-0546

Adobe Reader/Acrobat XI — Protected Mode Sandbox Escape Enables Native Code Execution Outside the PDF Sandbox
🔥 CVSS 3.1  9.8 / 10 — CRITICAL 🔴 CISA Known Exploited Vulnerability

What Is Adobe Reader?

Adobe Reader is the world's most-deployed PDF viewer. A critical security feature introduced in Adobe Reader X (2010) is Protected Mode — a Windows sandbox that runs the Reader rendering process in a highly restricted low-integrity process, isolated from the operating system. Protected Mode was specifically designed to contain PDF-based exploit code: even if an attacker achieved code execution inside Reader's rendering engine, they would be trapped in the sandbox and unable to write files, access the network, or interact with the OS in meaningful ways.

A sandbox escape (bypass) vulnerability is therefore highly dangerous: it negates Reader's primary post-exploitation defense and allows a two-stage exploit chain (PDF RCE + sandbox escape) to achieve full code execution on the host system.

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on May 25, 2022. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2014-0546 is a sandbox bypass vulnerability in Adobe Reader and Acrobat on Windows that allows an attacker who has already achieved code execution inside Reader's Protected Mode sandbox to escape and execute native code at the privilege level of the host user. This vulnerability is typically the second stage of a two-stage exploit chain: a PDF remote code execution vulnerability gains initial code execution inside the sandbox, and this bypass then elevates to full OS-level code execution. Patched in Adobe Security Bulletin APSB14-19 (August 12, 2014).

Affected Versions

Product Vulnerable Fixed
Adobe Reader XI (Windows) ≤ 11.0.07 11.0.08
Adobe Reader X (Windows) ≤ 10.1.10 10.1.11
Adobe Acrobat XI (Windows) ≤ 11.0.07 11.0.08
Adobe Acrobat X (Windows) ≤ 10.1.10 10.1.11

Note: The sandbox bypass only affects the Windows version; Mac Reader uses a different sandboxing approach.

Technical Details

What Is Protected Mode?

Adobe Reader's Protected Mode (introduced in Reader X) implements a Windows sandbox architecture:

  • The renderer process (which parses and displays PDFs) runs in a low-integrity Windows process with severely restricted token permissions
  • A broker process runs at normal user integrity and mediates any requests from the renderer that require OS access (file writes, registry access, network calls)
  • The broker validates all requests from the renderer against a strict policy before performing them on the renderer's behalf

An exploit that achieves code execution inside the renderer is still sandboxed — it cannot read arbitrary files, write to disk, establish network connections, or execute new processes without the broker's permission.

How the Bypass Works

CVE-2014-0546 involves an improper validation or logic flaw in the broker process's policy enforcement for a specific API or system call. The sandboxed renderer process can make a crafted request to the broker that bypasses the access control check, causing the broker (running at normal user integrity) to perform a privileged operation on behalf of the renderer.

The exact mechanism involves the way the sandbox broker handles a specific COM object, Windows API call, or IPC message from the renderer — allowing a renderer-controlled value to cause the broker to perform an operation that should be prohibited.

Exploit Chain

A complete attack using this CVE requires two vulnerabilities:

  1. PDF RCE (e.g., CVE-2014-0496 or similar): achieves code execution inside Reader's Protected Mode sandbox
  2. CVE-2014-0546 (sandbox bypass): elevates from sandboxed execution to full OS code execution at user privilege level

The combined exploit defeats Reader's security architecture entirely, resulting in the same impact as if Protected Mode did not exist.

Attack Characteristics

Attribute Detail
Used alone Requires prior code execution inside Reader sandbox
In exploit chain Enables full RCE from malicious PDF (Critical impact)
Platform Windows only
CVSS 9.8 CRITICAL (for the full chain)

Discovery

Reported to Adobe by security researchers studying Reader's Protected Mode sandbox implementation. Patched in the August 2014 Reader/Acrobat security bulletin.

Exploitation Context

  • Sandbox bypasses are among the most valuable components of exploit chains for well-sandboxed applications
  • Combined with a Reader RCE vulnerability, this bypass enabled complete compromise of a Windows system via a malicious PDF file
  • Used in targeted attack campaigns where attackers assembled complete PDF exploit chains — PDF exploit + sandbox escape — for reliable end-to-end compromise
  • CISA added to KEV in May 2022, confirming this exploit chain was used in real-world attacks long after patches were available (against unpatched legacy Reader deployments)

Remediation

CISA BOD 22-01 Deadline: June 15, 2022. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

  1. Update Adobe Reader/Acrobat to 11.0.08 or 10.1.11 per APSB14-19. Both the sandbox bypass and any PDF RCE vulnerabilities patched in this bulletin must be addressed.

  2. Enable Protected Mode — it remains a valuable defense even with this bypass patched: Edit → Preferences → Security (Enhanced) → Enable Protected Mode at Startup.

  3. Enable Protected View for files from untrusted sources — opens PDFs in a read-only mode with no JavaScript: Edit → Preferences → Security (Enhanced) → Protected View → All files.

  4. Consider modern alternatives such as Microsoft Edge's built-in PDF viewer or browser-based PDF rendering (no plugin required), which have separate and more modern sandbox architectures.

  5. Block legacy Reader versions via application control policies in enterprise environments — prevent older unpatched Reader versions from executing.

Key Details

PropertyValue
CVE ID CVE-2014-0546
Vendor / Product Adobe — Reader and Acrobat
NVD Published2014-08-12
NVD Last Modified2025-11-22
CVSS 3.1 Score9.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-264 — Permissions, Privileges, and Access Controls find similar ↗
CISA KEV Added2022-05-25
CISA KEV Deadline2022-06-15
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-06-15. Apply updates per vendor instructions.

Timeline

DateEvent
2014-08-12Adobe Security Bulletin APSB14-19 published; Reader/Acrobat 11.0.08 and 10.1.11 released
2014-08-12CVE-2014-0546 published
2022-05-25Added to CISA Known Exploited Vulnerabilities catalog
2022-06-15CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2014-0546 Vulnerability Database
CISA KEV Catalog Entry US Government
Adobe Security Bulletin APSB14-19 — Security Updates for Adobe Reader and Acrobat Vendor Advisory

Last updated: 2026-05-24

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML