CVE-2023-21608

What is Adobe Acrobat and Reader?

Adobe Acrobat and Acrobat Reader are the dominant PDF creation, editing, and viewing tools for Windows and macOS. Reader is the free viewer installed on hundreds of millions of endpoints for viewing PDF attachments received via email, downloaded from the web, or shared via collaboration platforms. Because PDFs may contain complex embedded content — JavaScript, fonts, images, form data, and multimedia — Acrobat's parsing engine is a large attack surface. Use-after-free vulnerabilities in the PDF parser arise when object lifetime tracking fails during parsing of maliciously crafted content structures, allowing memory to be freed while a stale pointer still references it.

Overview

CVE-2023-21608 is a use-after-free vulnerability (CWE-416) in Adobe Acrobat and Reader that allows code execution in the context of the current user when a victim opens a maliciously crafted PDF file. Adobe patched the vulnerability in security bulletin APSB23-01, released January 10, 2023 as part of a batch of Acrobat/Reader fixes. The CVSS score (AV:L/PR:N/UI:R/S:U/C:H/I:H/A:H) reflects the delivery model: an attacker provides a malicious PDF file and convinces the victim to open it — no network access to the victim's system is required once the document is delivered.

The nine-month gap between patch (January 2023) and CISA KEV addition (October 10, 2023) is notable. This suggests exploitation was detected through incident response forensics or threat intelligence months after patching, when older unpatched installations were still being targeted.

Affected Versions

Technical Details

Use-after-free (CWE-416) vulnerabilities in the PDF parser occur when the parser frees a heap-allocated object — such as a JavaScript object, annotation, form field, or embedded content structure — but retains a pointer to it that is subsequently accessed. Exploitation follows the standard UAF pattern:

1. Trigger the free — craft a PDF that causes Acrobat to free a specific object through a particular parsing sequence (e.g., deleting an annotation while a reference to it is still live)
2. Reclaim the freed memory — cause Acrobat to allocate a new object of the same size in the freed slot, filling it with attacker-controlled content
3. Use the dangling pointer — cause Acrobat to use the original stale pointer, now pointing to attacker-controlled data, to execute a function pointer or overwrite control flow data

The result is code execution in the context of the Acrobat process and the user running it. On Windows, Acrobat runs in a Protected Mode sandbox that may limit the initial exploit's reach — but sandbox escapes are commonly chained with UAF exploits in multi-stage attacks.

Discovery

Adobe credited an anonymous researcher with discovering CVE-2023-21608. Adobe's APSB23-01 bulletin classified the impact as "Arbitrary code execution" and the severity as "Critical" — higher than the NVD's CVSS 7.8 might suggest, reflecting Adobe's assessment of real-world exploitability.

Exploitation Context

Adobe Acrobat and Reader are perennial targets for document-borne exploit delivery. The APSB23-01 patch batch included multiple critical UAF and other memory corruption vulnerabilities — CVE-2023-21608 is one entry in a broader pattern of Acrobat parser vulnerabilities exploited for malware delivery via phishing or watering-hole attacks. The October 2023 KEV addition placed it alongside other October zero-days (WordPad NTLM hash disclosure, Skype for Business SSRF, Arm Mali GPU UAF), suggesting an active fall 2023 campaign period.

Remediation

1. Update Acrobat and Reader — apply the January 2023 APSB23-01 update or any subsequent cumulative update; check current version against affected ranges in the table above.
2. Enable automatic updates — Adobe Acrobat supports automatic updates (Help → Check for Updates); enabling this minimizes the gap between patch release and deployment.
3. Enable Protected Mode — Acrobat Reader's Protected Mode (enabled by default on Windows) sandboxes the PDF rendering process; verify it is not disabled via registry or group policy.
4. Block untrusted PDFs at the email gateway — configure email security to sandbox or block PDFs from external senders before delivery to endpoints.
5. Consider Reader alternatives for high-risk users — browser-native PDF viewers (Chrome, Edge) have smaller attack surfaces for complex PDF exploits than the full Acrobat renderer.