Adobe Acrobat and Reader Use-After-Free Flaws in PDF Form Field JavaScript
Adobe patched two use-after-free vulnerabilities in Acrobat and Reader, tracked as CVE-2019-8038 and CVE-2019-8039, that affect version 2019.012.20035 and earlier. The flaws are triggered when JavaScript in a PDF manipulates form fields during callbacks, allowing a Document.Field object to be freed through document.removeField while native code continues to use it. STAR Labs reported that the resulting memory corruption can crash the application and may be exploitable for code execution within Adobe's sandboxed context.
The bugs involve insufficient validation around PDF form field handling in removeField, with one issue tied to CTextWidget objects during Format events and the other to CTextField objects during property assignment and hierarchical field naming. Researchers showed that protections could be bypassed by altering event.target during nested callbacks or abusing field hierarchies so a field is deleted mid-operation. Adobe acknowledged and fixed both issues in security bulletin APSB19-41 following coordinated disclosure through ZDI.
Timeline
Aug 19, 2019
Adobe patches CVE-2019-8038 and CVE-2019-8039 in APSB19-41
Adobe acknowledged and fixed the two Acrobat/Reader use-after-free vulnerabilities in Security Bulletin APSB19-41. The coordinated public disclosure identified the bugs as potentially enabling code execution within Adobe's sandboxed context.
Jun 20, 2019
STAR Labs reports Adobe Acrobat/Reader use-after-free flaws via ZDI
STAR Labs reported two related use-after-free vulnerabilities in Adobe Acrobat and Reader, later assigned CVE-2019-8038 and CVE-2019-8039, through Trend Micro's Zero Day Initiative. The flaws affected version 2019.012.20035 and earlier and involved JavaScript-triggered deletion of PDF form field objects while still in use.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Adobe Acrobat and Reader JavaScript Use-After-Free Flaws Patched
Adobe patched two use-after-free vulnerabilities in **Acrobat** and **Reader** that were triggered through JavaScript embedded in malicious PDF files. One flaw, tracked as `CVE-2020-3800`, affected the shared `AcroForm.api` plugin and the `xfa.loadXML` method, where malformed XML supplied through JavaScript caused a crash in Acrobat DC on Windows 10. STAR Labs said the bug was reproduced in Acrobat DC `2019.008.20064`, with the vulnerable component identified as `AcroForm.api` version `19.012.20040.17853`, and Adobe addressed it in security advisory `APSB20-13`. A separate flaw, `CVE-2019-16452`, affected Acrobat and Reader DC `2019.012.20035` and earlier through the `getSound()` JavaScript method. Researchers found inconsistent handling of sound-name string objects between a cache dictionary and a JavaScript object's private data, leaving a stale pointer after `toString()` changed the object's representation. STAR Labs reported that a crafted PDF could potentially turn the bug into code execution inside Adobe's sandbox with careful memory manipulation, and Adobe fixed the issue in bulletin `APSB19-55`.
3 weeks ago
Foxit PDF Reader Patches Annotation Use-After-Free RCE Flaws
Foxit PDF Reader has patched two remotely exploitable use-after-free vulnerabilities in its handling of annotation-related objects, disclosed as **CVE-2026-5940** and **CVE-2026-5943** through Zero Day Initiative advisories **ZDI-26-301** and **ZDI-26-304**. Both flaws stem from insufficient validation that an object still exists before operations are performed on it, creating memory corruption conditions that can let an attacker execute arbitrary code in the context of the current process. Exploitation requires user interaction, including opening a malicious PDF file or visiting a malicious page that triggers the vulnerable code path. One issue affects Annotation object handling broadly, while the other specifically involves **AcroForm Annotation** objects; each carries a **CVSS 7.8** severity rating. The bugs were reported to Foxit on March 30, 2026, and the vendor released updates in coordination with public disclosure to remediate the vulnerabilities.
5 days ago
Adobe Acrobat Reader Prototype Pollution Flaws Enable Code Execution
Adobe disclosed two high-severity prototype pollution vulnerabilities in **Acrobat Reader** tracked as `CVE-2026-34621` and `CVE-2026-34622`. Both flaws can lead to arbitrary code execution in the context of the current user if a victim opens a malicious file, making user interaction a required condition for exploitation. Adobe classified both issues under `CWE-1321` and assigned CVSS v3.1 vectors indicating high impact to confidentiality, integrity, and availability. `CVE-2026-34621` affects Acrobat Reader versions `24.001.30356`, `26.001.21367`, and earlier, while `CVE-2026-34622` affects versions `26.001.21411`, `24.001.30360`, `24.001.30362`, and earlier. The disclosures indicate the vulnerabilities were reported to Adobe's PSIRT and published with advisory references, signaling that organizations using Acrobat Reader should identify exposed versions and prioritize updates to reduce the risk of malicious document-based compromise.
1 weeks ago