Alert Regarding Vulnerabilities in Adobe Acrobat and Reader
Summary:
Adobe released a security update on March 10, 2026 addressing three vulnerabilities in Adobe Acrobat and Acrobat Reader for Windows and macOS (APSB26-26). Two of the vulnerabilities are Use-After-Free flaws (CVE-2026-27220 and CVE-2026-27278) rated Critical with a CVSS score of 7.8, and a third is an Improper Verification of Cryptographic Signature issue (CVE-2026-27221) rated Important with a CVSS score of 5.5.
Affected versions include Acrobat DC and Acrobat Reader DC Continuous track 25.001.21265 and earlier, as well as Acrobat 2024 Classic 2024 versions 24.001.30307 (Windows) and 24.001.30308 (macOS) and earlier. Adobe has stated it is not aware of active exploitation in the wild for any of these issues.
Security Officer Comments:
Successful exploitation of the two Critical Use-After-Free vulnerabilities could allow an attacker to execute arbitrary code in the context of the current user, achieving high confidentiality, integrity, and availability impact.
Exploitation requires user interaction, specifically, a user opening a maliciously crafted PDF file, but does not require elevated privileges, making social engineering a viable delivery vector.
The cryptographic signature verification flaw could allow an attacker to escalate privileges, potentially enabling further compromise of an affected system.
Given the high use of Adobe Acrobat and Reader across enterprise and government environments, these vulnerabilities represent meaningful exposure, particularly in phishing or malicious document delivery scenarios.
Suggested Corrections:
Adobe recommends users update to the patched versions immediately: Acrobat DC and Acrobat Reader DC Continuous should be updated to version 25.001.21288, and Acrobat 2024 Classic 2024 should be updated to version 24.001.30356 on both Windows and macOS.
Updates can be applied manually via Help > Check for Updates within the application, through automatic update mechanisms, or by downloading the latest installer directly from Adobe. IT administrators in managed environments should deploy updates via their standard enterprise tooling such as AIP-GPO, SCUP/SCCM on Windows, or Apple Remote Desktop on macOS.
Organizations should also reinforce user awareness around opening unsolicited or untrusted PDF files as an additional defensive layer while patching is underway.
Link(s):
https://helpx.adobe.com/security/products/acrobat/apsb26-26.html