CVE-2023-26369

What is Adobe Acrobat and Reader?

Adobe Acrobat and Adobe Acrobat Reader are the dominant applications for creating, viewing, and editing PDF files. With hundreds of millions of installations across Windows and macOS, they represent one of the broadest attack surfaces in enterprise and consumer computing. PDFs are routinely received via email, downloaded from the web, and opened without suspicion — making Acrobat/Reader vulnerabilities a perennial target for malware delivery, phishing campaigns, and targeted attacks against high-value individuals.

Overview

CVE-2023-26369 is an out-of-bounds write vulnerability in Adobe Acrobat and Reader that allows code execution when a user opens a specially crafted PDF. Adobe disclosed and patched it on September 12, 2023 (September Patch Tuesday), noting active exploitation in the wild in limited attacks. CISA added it to the KEV catalog the following day.

Affected Versions

Technical Details

The vulnerability is an out-of-bounds write (CWE-787) in Acrobat's document parsing engine. When processing a crafted PDF that triggers a specific parsing path, the application writes data beyond the bounds of an allocated buffer. Depending on what memory is overwritten, an attacker can achieve controlled corruption of adjacent memory structures, leading to arbitrary code execution with the privileges of the user running Acrobat.

The attack requires the victim to open a malicious PDF file (user interaction required — reflected in the CVSS UI:R). However, no special privileges are needed to trigger the bug (PR:N). In practice, delivery is straightforward: the malicious PDF can be sent as an email attachment, distributed via a malicious download link, or embedded in a spear-phishing campaign targeting specific individuals or organizations.

Adobe described the exploitation as "limited attacks in the wild," suggesting targeted use rather than mass exploitation — a common pattern for PDF zero-days which are expensive to develop and typically reserved for high-value targets.

Discovery

Adobe credited an anonymous reporter. The active exploitation indicates the vulnerability was discovered and weaponized before Adobe became aware of it — consistent with targeted attack scenarios.

Exploitation Context

CVE-2023-26369 was exploited in limited, targeted attacks before Adobe's September 2023 patch. PDF-based code execution vulnerabilities are favored by APT groups and sophisticated cybercriminals for their reliable delivery mechanism — targets routinely open PDFs without hesitation, and the lure content (invoice, contract, report) can be tailored precisely for the target. Post-exploitation, attackers typically drop additional malware payloads, establish persistence, or steal credentials.

CISA added the vulnerability to KEV one day after the patch, reflecting confirmed active exploitation.

Remediation

1. Apply Adobe APSB23-34 updates immediately — update Acrobat DC to 23.006.20320, Acrobat 2020 to 20.005.30524, and their Reader equivalents.
2. Enable automatic updates in Acrobat/Reader — Help → Check for Updates → and enable automatic updates to ensure future critical patches are applied promptly.
3. Enable Protected Mode (sandboxing) — Acrobat's Protected Mode runs the rendering process in a sandbox that limits what a successful exploit can do. Verify it is enabled via Preferences → Security (Enhanced) → Protected Mode at Startup.
4. Enable Protected View — display all PDFs from external sources in Protected View (read-only, restricted) before allowing full functionality.
5. Be cautious with PDFs from email and web — train users to be skeptical of unexpected PDF attachments, even from apparently known senders, as phishing campaigns routinely spoof sender addresses.
6. Consider alternative PDF viewers for environments with high risk tolerance** — browser-based PDF viewing (Chrome/Edge built-in viewer) avoids Acrobat's parser entirely for many use cases.