Adobe Acrobat and Reader Use-After-Free Flaws in PDF Form Field JavaScript
Adobe patched two use-after-free vulnerabilities in Acrobat and Reader, tracked as CVE-2019-8038 and CVE-2019-8039, that affect version 2019.012.20035 and earlier. The flaws are triggered when JavaScript in a PDF manipulates form fields during callbacks, allowing a Document.Field object to be freed through document.removeField while native code continues to use it. STAR Labs reported that the resulting memory corruption can crash the application and may be exploitable for code execution within Adobe's sandboxed context.
The bugs involve insufficient validation around PDF form field handling in removeField, with one issue tied to CTextWidget objects during Format events and the other to CTextField objects during property assignment and hierarchical field naming. Researchers showed that protections could be bypassed by altering event.target during nested callbacks or abusing field hierarchies so a field is deleted mid-operation. Adobe acknowledged and fixed both issues in security bulletin APSB19-41 following coordinated disclosure through ZDI.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Adobe patches CVE-2019-8038 and CVE-2019-8039 in APSB19-41
Adobe acknowledged and fixed the two Acrobat/Reader use-after-free vulnerabilities in Security Bulletin APSB19-41. The coordinated public disclosure identified the bugs as potentially enabling code execution within Adobe's sandboxed context.
STAR Labs reports Adobe Acrobat/Reader use-after-free flaws via ZDI
STAR Labs reported two related use-after-free vulnerabilities in Adobe Acrobat and Reader, later assigned CVE-2019-8038 and CVE-2019-8039, through Trend Micro's Zero Day Initiative. The flaws affected version 2019.012.20035 and earlier and involved JavaScript-triggered deletion of PDF form field objects while still in use.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Adobe Acrobat and Reader JavaScript Use-After-Free Flaws Patched
Adobe patched two use-after-free vulnerabilities in **Acrobat** and **Reader** that were triggered through JavaScript embedded in malicious PDF files. One flaw, tracked as `CVE-2020-3800`, affected the shared `AcroForm.api` plugin and the `xfa.loadXML` method, where malformed XML supplied through JavaScript caused a crash in Acrobat DC on Windows 10. STAR Labs said the bug was reproduced in Acrobat DC `2019.008.20064`, with the vulnerable component identified as `AcroForm.api` version `19.012.20040.17853`, and Adobe addressed it in security advisory `APSB20-13`. A separate flaw, `CVE-2019-16452`, affected Acrobat and Reader DC `2019.012.20035` and earlier through the `getSound()` JavaScript method. Researchers found inconsistent handling of sound-name string objects between a cache dictionary and a JavaScript object's private data, leaving a stale pointer after `toString()` changed the object's representation. STAR Labs reported that a crafted PDF could potentially turn the bug into code execution inside Adobe's sandbox with careful memory manipulation, and Adobe fixed the issue in bulletin `APSB19-55`.
May 24, 2026
Foxit PDF Reader Patches Annotation Use-After-Free RCE Flaws
Foxit PDF Reader has patched two remotely exploitable use-after-free vulnerabilities in its handling of annotation-related objects, disclosed as **CVE-2026-5940** and **CVE-2026-5943** through Zero Day Initiative advisories **ZDI-26-301** and **ZDI-26-304**. Both flaws stem from insufficient validation that an object still exists before operations are performed on it, creating memory corruption conditions that can let an attacker execute arbitrary code in the context of the current process. Exploitation requires user interaction, including opening a malicious PDF file or visiting a malicious page that triggers the vulnerable code path. One issue affects Annotation object handling broadly, while the other specifically involves **AcroForm Annotation** objects; each carries a **CVSS 7.8** severity rating. The bugs were reported to Foxit on March 30, 2026, and the vendor released updates in coordination with public disclosure to remediate the vulnerabilities.
May 24, 2026
Adobe Acrobat Reader Prototype Pollution Flaws Enable Code Execution
Adobe disclosed two high-severity prototype pollution vulnerabilities in **Acrobat Reader** tracked as `CVE-2026-34621` and `CVE-2026-34622`. Both flaws can lead to arbitrary code execution in the context of the current user if a victim opens a malicious file, making user interaction a required condition for exploitation. Adobe classified both issues under `CWE-1321` and assigned CVSS v3.1 vectors indicating high impact to confidentiality, integrity, and availability. `CVE-2026-34621` affects Acrobat Reader versions `24.001.30356`, `26.001.21367`, and earlier, while `CVE-2026-34622` affects versions `26.001.21411`, `24.001.30360`, `24.001.30362`, and earlier. The disclosures indicate the vulnerabilities were reported to Adobe's PSIRT and published with advisory references, signaling that organizations using Acrobat Reader should identify exposed versions and prioritize updates to reduce the risk of malicious document-based compromise.
Apr 23, 2026