High

Use-after-free information disclosure in Adobe Acrobat and Reader xfa.loadXML

IdentifiersCVE-2020-3800CWE-416

CVE-2020-3800 affects Adobe Acrobat and Reader versions 2020.006.20034 and earlier, 2017.011.30158 and earlier, and 2015.006.30510 and earlier. The issue is described by Adobe as a memory address leak vulnerability leading to information disclosure. Supporting analysis indicates the bug is a use-after-free in the shared AcroForm.api plugin, reachable via JavaScript through the xfa.loadXML method. Supplying malformed XML to xfa.loadXML can trigger a crash in AcroForm.api; the reported crash path traverses AcroForm, AXE8SharedExpat, and EScript modules. The vulnerable component identified in testing was AcroForm.api version 19.012.20040.17853.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can disclose memory addresses from the target process, weakening exploit mitigations such as ASLR and exposing process memory layout information. Adobe classifies the issue as information disclosure. Although the broader APSB20-13 bulletin also covered vulnerabilities with code-execution impact, the specific impact documented for CVE-2020-3800 is information disclosure via memory address leakage. The supporting analysis notes that while indirect calls existed after the free, practical control sufficient for reliable code execution was not demonstrated.

Mitigation

If you can’t patch tonight, do this now.

Apply Adobe's security updates using the built-in updater or enterprise software deployment tooling. Until patching is completed, reduce exposure by limiting the opening of untrusted PDF documents and, where operationally feasible, restricting or disabling JavaScript execution in Acrobat/Reader because the reported trigger path uses JavaScript xfa.loadXML with malformed XML content.

Remediation

Patch, then assume compromise.

Update Adobe Acrobat and Reader to the vendor-fixed versions referenced in APSB20-13. The advisory states fixed releases are Acrobat/Reader DC Continuous 2020.006.20042, Acrobat/Reader 2017 Classic 2017.011.30166, and Acrobat/Reader 2015 Classic 2015.006.30518. Systems running affected or earlier versions should be upgraded to these versions or later.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

AdobeAcrobat Dcapplication

AdobeAcrobat Reader Dcapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

adobe-security-bulletinsNews

Aug 11, 2020

Adobe Security Bulletin

A memory address leak vulnerability in Adobe Acrobat and Reader that could lead to information disclosure.

starlabs sgNews

Mar 17, 2020

(CVE-2020-3800) Adobe Reader xfa.loadXML Use-after-Free | STAR Labs

A use-after-free vulnerability in Adobe Acrobat/Reader's AcroForm.api plugin triggered by malformed XML data via JavaScript xfa.loadXML, causing a crash and potentially limited code execution impact.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2020-3800

NVD

nvd.nist.gov/vuln/detail/CVE-2020-3800

MITRE CWE · CWE-416

cwe.mitre.org

Vendor Advisory

helpx.adobe.com/security/products/acrobat/apsb20-13.html