Adobe Acrobat and Reader JavaScript Use-After-Free Flaws Patched
Adobe patched two use-after-free vulnerabilities in Acrobat and Reader that were triggered through JavaScript embedded in malicious PDF files. One flaw, tracked as CVE-2020-3800, affected the shared AcroForm.api plugin and the xfa.loadXML method, where malformed XML supplied through JavaScript caused a crash in Acrobat DC on Windows 10. STAR Labs said the bug was reproduced in Acrobat DC 2019.008.20064, with the vulnerable component identified as AcroForm.api version 19.012.20040.17853, and Adobe addressed it in security advisory APSB20-13.
A separate flaw, CVE-2019-16452, affected Acrobat and Reader DC 2019.012.20035 and earlier through the getSound() JavaScript method. Researchers found inconsistent handling of sound-name string objects between a cache dictionary and a JavaScript object's private data, leaving a stale pointer after toString() changed the object's representation. STAR Labs reported that a crafted PDF could potentially turn the bug into code execution inside Adobe's sandbox with careful memory manipulation, and Adobe fixed the issue in bulletin APSB19-55.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Adobe patches CVE-2020-3800 in APSB20-13
Adobe released a patch for CVE-2020-3800 through advisory APSB20-13. STAR Labs publicly documented the flaw the same day, noting the bug caused a crash in AcroForm.api and that practical exploitation appeared limited in their testing.
STAR Labs reports Adobe Reader xfa.loadXML use-after-free to Adobe
STAR Labs notified Adobe of a use-after-free vulnerability in Adobe Acrobat and Reader involving the AcroForm.api plugin and the xfa.loadXML JavaScript method, later assigned CVE-2020-3800. The issue was reproduced on Acrobat DC 2019.008.20064 on Windows 10 64-bit using malformed XML supplied through JavaScript.
Adobe fixes CVE-2019-16452 in APSB19-55
Adobe released a fix for CVE-2019-16452 in Security Bulletin APSB19-55. The vulnerability was also publicly disclosed the same day through STAR Labs' advisory.
Tianfu Cup report discloses Adobe getSound use-after-free to Adobe
A use-after-free vulnerability in Adobe Acrobat and Reader DC involving JavaScript handling of getSound(), later assigned CVE-2019-16452, was reported to Adobe via Tianfu Cup. The flaw affected version 2019.012.20035 and earlier and could potentially enable code execution within the Adobe sandbox.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Adobe Acrobat and Reader Use-After-Free Flaws in PDF Form Field JavaScript
Adobe patched two use-after-free vulnerabilities in Acrobat and Reader, tracked as **CVE-2019-8038** and **CVE-2019-8039**, that affect version `2019.012.20035` and earlier. The flaws are triggered when JavaScript in a PDF manipulates form fields during callbacks, allowing a `Document.Field` object to be freed through `document.removeField` while native code continues to use it. STAR Labs reported that the resulting memory corruption can crash the application and may be exploitable for code execution within Adobe's sandboxed context. The bugs involve insufficient validation around PDF form field handling in `removeField`, with one issue tied to `CTextWidget` objects during Format events and the other to `CTextField` objects during property assignment and hierarchical field naming. Researchers showed that protections could be bypassed by altering `event.target` during nested callbacks or abusing field hierarchies so a field is deleted mid-operation. Adobe acknowledged and fixed both issues in security bulletin **APSB19-41** following coordinated disclosure through ZDI.
May 24, 2026
Adobe Reader DC 3D PDF Parsing Flaws Trigger Out-of-Bounds Reads
Adobe patched two out-of-bounds read vulnerabilities in **Adobe Reader DC** affecting version `2019.010.20099`, both tied to the `2d.x3d!_LoadTIFF()` processing path used to render embedded **U3D** 3D content inside PDF files. Tracked as `CVE-2019-8010` and `CVE-2019-8011`, the flaws can be triggered by a crafted PDF containing malformed external texture references in embedded 3D objects, causing the sandboxed Reader process to crash under the logged-on user context. The bugs affect Acrobat’s handling of ECMA-363 Universal 3D File Format resources, including external image and texture parsing such as PNG- and TIFF-related paths. The issue is not reachable in a default installation unless 3D content display is enabled, but it poses greater risk in environments that routinely exchange 3D PDFs, including CAD-heavy workflows where 3D viewing may be enabled by default. Adobe addressed both issues in advisory **`APSB19-41`** after coordinated disclosure by STAR Labs.
May 24, 2026
Adobe Acrobat and Reader Flaws Enable Code Execution via Malicious Files
JPCERT/CC warned that multiple vulnerabilities in **Adobe Acrobat** and **Adobe Acrobat Reader** could lead to arbitrary code execution on both Windows and macOS, including flaws tracked in Adobe bulletins `APSB26-43` and `APSB26-44`. Adobe said exploitation of the `APSB26-43` issues has been confirmed, while JPCERT/CC noted it had not observed attacks in Japan at publication time and cautioned that broader abuse could follow as technical details spread. The affected products include **Adobe Acrobat DC Continuous**, **Adobe Acrobat Reader DC Continuous**, and **Adobe Acrobat 2024 Classic** up to the vulnerable versions identified by Adobe. JPCERT/CC urged organizations and users to update immediately to the latest patched releases, including `26.001.21431` for the DC Continuous branch and `24.001.30365` for Acrobat 2024 Classic, because opening maliciously crafted content may be enough to trigger remote code execution.
Apr 15, 2026