How to Fix CVE-2021-28550: Adobe Acrobat and Reader Use-After-Free RCE
*By Sai Kiran Pandrala*
| Severity | CVSS 9.6 โ Critical |
|---|---|
| Actively exploited? | Yes, listed in CISA KEV |
| Affected | Acrobat Reader DC 2021.001.20150 and earlier, Acrobat DC 2021.001.20150 and earlier, Acrobat Reader 2020 2020.001.30020 and earlier, Acrobat 2017 17.011.30190 and earlier |
| Fixed in | Updates per Adobe APSB21-29, plus all subsequent Acrobat / Reader releases |
| Type (CWE) | Use-After-Free |
โ ๏ธ Update Acrobat Reader / Acrobat Pro across your fleet. Phishing attachments with malicious PDFs use this CVE to drop payloads.
What is CVE-2021-28550?
Acrobat and Acrobat Reader have a use-after-free vulnerability in PDF processing. Opening a crafted PDF triggers the UAF and lets the attacker execute arbitrary code in the user context. This is the classic "open the attached invoice.pdf and your machine is owned" pattern.
Am I affected?
You are affected if you run any version below the patched Acrobat / Reader release. Check the running version: Help โ About Acrobat / About Adobe Acrobat Reader.
How to fix CVE-2021-28550
- For end-user fleets: deploy the current Acrobat / Reader version via your endpoint management platform (Intune, JAMF, SCCM, Workspace ONE). The fix is in every cumulative update from May 2021 onward.
- For individual users: Acrobat Reader โ Help โ Check for Updates. Install the cumulative update and restart Reader.
- For Acrobat Pro / Standard licensed seats: Adobe's Creative Cloud client manages updates; ensure auto-update is enabled, then run "Check for Updates" from within Acrobat.
Patch via your OS package manager
# The exact package name and patched version are listed in the vendor advisory:
# https://helpx.adobe.com/security/products/acrobat/apsb21-29.html
# Debian / Ubuntu
sudo apt update
sudo apt install --only-upgrade acrobatreader
# RHEL / Rocky / AlmaLinux / Fedora
sudo dnf upgrade acrobatreader
# openSUSE
sudo zypper update acrobatreader
# Verify the running version matches the fixed version
dpkg -s acrobatreader 2>/dev/null | grep -i version || rpm -q acrobatreader 2>/dev/null
# Windows: pull the cumulative update that ships this fix.
Install-Module PSWindowsUpdate -Force -SkipPublisherCheck
Get-WindowsUpdate -AcceptAll -Install -AutoReboot
Verify the fix landed
# 1. Confirm the running version matches the fixed-in version from the advisory:
# https://helpx.adobe.com/security/products/acrobat/apsb21-29.html
# Use the platform-specific version probe above.
# 2. Re-scan with your vulnerability scanner (Nessus, Qualys, Tenable, OpenVAS).
# The scanner should no longer flag CVE-2021-28550 on the patched target.
# 3. Inspect recent service / kernel logs for crash loops or rollback events.
journalctl -u <service> --since "10 minutes ago"
dmesg --since "10 minutes ago"
If you can't patch immediately
- Block inbound PDF attachments at the mail gateway for high-risk user groups.
- Disable JavaScript in Acrobat via Edit โ Preferences โ JavaScript โ uncheck "Enable Acrobat JavaScript" as group policy across the fleet.
- Train users to be cautious of unexpected PDF attachments.
How to verify the fix worked
Help โ About shows a version at or above the patched release. Use endpoint management reporting to confirm fleet-wide compliance.
Frequently asked questions
Is CVE-2021-28550 actively exploited?
Yes. CVE-2021-28550 is on the CISA Known Exploited Vulnerabilities catalog, so federal civilian agencies are required to patch on the published deadline. Most enterprises treat the same date as the practical floor.
What is the CVSS severity of CVE-2021-28550?
Critical. See the advisory for the full CVSS vector.
Where can I read the official advisory?
See https://helpx.adobe.com/security/products/acrobat/apsb21-29.html
Does the patch require a reboot?
It depends on the deployment. Service-only updates usually need a service restart; OS-level fixes require a full reboot. Check the vendor release notes for the exact post-upgrade steps.
References
- Official Adobe security bulletin APSB21-29: https://helpx.adobe.com/security/products/acrobat/apsb21-29.html
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2021-28550
- CISA KEV catalog entry: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
*This guide was assembled from Adobe APSB21-29, NVD record, and CISA KEV listing on 2026-05-25. Always confirm against Adobe's bulletin before applying changes in production.*
Related fixes
Other vulnerabilities in the same area that are worth patching alongside this one:
- How to Fix CVE-2011-0609: Denial of Service in Flash Player โ Denial of Service in Flash Player
- How to Fix CVE-2008-2992: Out-of-bounds write in Java , Out-of-bounds write in Java
- How to Fix CVE-2026-27268: Illustrator | Out-of-bounds Read (CWE-125) in Illustrator , Illustrator | Out-of-bounds Read (CWE-125) in Illustrator
- How to Fix CVE-2023-26360: Access Control Bypass in ColdFusion , Access Control Bypass in ColdFusion
- How to Fix CVE-2026-27297: Integer underflow (wrap or wraparound) (cwe-191) in Adobe Framemaker , Integer underflow (wrap or wraparound) (cwe-191) in Adobe Framemaker