Adobe Reader DC patched 3D PDF memory corruption flaws in U3D texture handling
Adobe patched two memory corruption vulnerabilities in Adobe Reader DC 2019.010.20064 affecting the rendering of 3D content embedded in PDF files. Tracked as CVE-2019-7119 and CVE-2019-7120, the flaws were found in the 2d.x3d and related rt3d processing path used for ECMA-363 Universal 3D (U3D) resources and external texture images. One bug allowed an arbitrary out-of-bounds write in TRGB::Read() and was observed crashing through 2d!png_set_filter_heuristics, while the other involved an out-of-bounds condition in TIF::Read() tied to _LoadILBM(), reported as an out-of-bounds read at crash time but patched by Adobe as an out-of-bounds write.
The vulnerabilities could be triggered with a crafted U3D file that manipulated texture metadata and referenced external image files, including .iff content, causing memory corruption when a user enabled 3D content display in a PDF. The exposure was not present in a default configuration unless 3D PDF rendering was enabled, but organizations that regularly exchange CAD and other 3D documents faced higher risk. Adobe addressed both issues in advisory APSB19-17 after coordinated disclosure from STAR Labs.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Adobe releases APSB19-17 patch for CVE-2019-7119 and CVE-2019-7120
Adobe patched the two Adobe Reader DC vulnerabilities through advisory APSB19-17. The fixes addressed memory corruption issues in the 2d.x3d/rt3d processing path related to external texture image parsing in embedded 3D PDF content.
Adobe patches CVE-2019-7035 in APSB19-07
Adobe acknowledged and fixed CVE-2019-7035, an Adobe Reader DC 3D PDF parsing flaw involving external GIF texture handling in the 2d.x3d module. STAR Labs' advisory says the bug could cause an arbitrary one-byte XOR write in the sandboxed process when 3D content display was enabled.
STAR Labs reports Adobe Reader DC 3D parsing flaws to Adobe
STAR Labs notified Adobe of two vulnerabilities in Adobe Reader DC's 3D content handling path, later assigned CVE-2019-7119 and CVE-2019-7120. Both issues involved crafted U3D/external texture image processing and could lead to memory corruption when 3D PDF content was enabled.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
(CVE-2019-7142) Acrobat Reader DC 2d.x3d!_LoadRGB() Out-of-Bounds Read/Write in TRGB::expandrow() | STAR Labs
starlabs.sg
Open source(CVE-2019-7119) Acrobat Reader DC 2d.x3d!_LoadRGB() Out-of-Bounds Write in TRGB::Read() | STAR Labs
starlabs.sg
Open source(CVE-2019-7122) Acrobat Reader DC 2d.x3d!_LoadTIFF() Out-of-Bounds Read in TTIFFread::TifReadChunkyRGB() | STAR Labs
starlabs.sg
Open source(CVE-2019-7121) Acrobat Reader DC 2d.x3d!_LoadILBM() Out-of-Bounds Read in TIF::Read() | STAR Labs
starlabs.sg
Open source(CVE-2019-7118) Acrobat Reader DC 2d.x3d!_LoadRGB() Out-of-Bounds Write in TRGB::Read() | STAR Labs
starlabs.sg
Open source(CVE-2019-7123) Acrobat Reader DC 2d.x3d!_LoadRGB() Memory Corruption in TRGB::expandrow() | STAR Labs
starlabs.sg
Open source(CVE-2019-7120) Acrobat Reader DC 2d.x3d!_LoadILBM() Out-of-Bounds Read in TIF::Read() | STAR Labs
starlabs.sg
Open source(CVE-2019-7035) Acrobat Reader DC 2d.x3d!_LoadGIF() Arbitrary Write in TGIF::PutPixel() | STAR Labs
starlabs.sg
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Adobe Reader DC 3D PDF Parsing Flaws Trigger Out-of-Bounds Reads
Adobe patched two out-of-bounds read vulnerabilities in **Adobe Reader DC** affecting version `2019.010.20099`, both tied to the `2d.x3d!_LoadTIFF()` processing path used to render embedded **U3D** 3D content inside PDF files. Tracked as `CVE-2019-8010` and `CVE-2019-8011`, the flaws can be triggered by a crafted PDF containing malformed external texture references in embedded 3D objects, causing the sandboxed Reader process to crash under the logged-on user context. The bugs affect Acrobat’s handling of ECMA-363 Universal 3D File Format resources, including external image and texture parsing such as PNG- and TIFF-related paths. The issue is not reachable in a default installation unless 3D content display is enabled, but it poses greater risk in environments that routinely exchange 3D PDFs, including CAD-heavy workflows where 3D viewing may be enabled by default. Adobe addressed both issues in advisory **`APSB19-41`** after coordinated disclosure by STAR Labs.
May 24, 2026
Foxit Reader U3D Parsing Flaws Allowed Code Execution via Malicious PDFs
Foxit Reader contained two memory-corruption vulnerabilities in the `U3DBrowser` plug-in used to render embedded 3D annotations in PDF files, allowing attackers to trigger heap corruption with specially crafted PDF content. **CVE-2019-6983** stemmed from a malformed U3D File Header Block that caused an allocation-size miscalculation through a casting error, followed by an oversized `fread()` into a much smaller heap buffer. **CVE-2019-6982** involved a malformed U3D CLOD Mesh Declaration Block with invalid Inverse Quantization values, producing an 8-byte out-of-bounds heap write beyond a `malloc`-allocated buffer. The flaws affected Foxit Reader 9.x builds, including version `9.1.0.5096` with `U3DBrowser.fpi 9.1.0.425` and version `9.0.1.1049` with `U3DBrowser.fpi 9.0.1.994`. In both cases, successful exploitation could lead to arbitrary code execution in the context of the logged-on user when a victim opened a malicious PDF containing crafted 3D content. Foxit was notified of the issues and released fixes on January 3, 2019, later acknowledging the vulnerabilities in its security bulletins.
May 24, 2026
Adobe Acrobat and Reader JavaScript Use-After-Free Flaws Patched
Adobe patched two use-after-free vulnerabilities in **Acrobat** and **Reader** that were triggered through JavaScript embedded in malicious PDF files. One flaw, tracked as `CVE-2020-3800`, affected the shared `AcroForm.api` plugin and the `xfa.loadXML` method, where malformed XML supplied through JavaScript caused a crash in Acrobat DC on Windows 10. STAR Labs said the bug was reproduced in Acrobat DC `2019.008.20064`, with the vulnerable component identified as `AcroForm.api` version `19.012.20040.17853`, and Adobe addressed it in security advisory `APSB20-13`. A separate flaw, `CVE-2019-16452`, affected Acrobat and Reader DC `2019.012.20035` and earlier through the `getSound()` JavaScript method. Researchers found inconsistent handling of sound-name string objects between a cache dictionary and a JavaScript object's private data, leaving a stale pointer after `toString()` changed the object's representation. STAR Labs reported that a crafted PDF could potentially turn the bug into code execution inside Adobe's sandbox with careful memory manipulation, and Adobe fixed the issue in bulletin `APSB19-55`.
May 24, 2026