Published on July 9, 2018

Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011.30079 and earlier, and 2015.006.30417 and earlier have a Double Free vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.

Vendor Advisory NVD

Known Exploited Vulnerability

This Adobe Acrobat and Reader Double Free Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Adobe Acrobat and Reader have a double free vulnerability that could lead to remote code execution.

The following remediation steps are recommended / required by June 22, 2022: Apply updates per vendor instructions.

Vulnerability Analysis

CVE-2018-4990 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to be very high.

What is a Double-free Vulnerability?

The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations. When a program calls free() twice with the same argument, the program's memory management data structures become corrupted. This corruption can cause the program to crash or, in some circumstances, cause two later calls to malloc() to return the same pointer. If malloc() returns the same value twice and the program later gives the attacker control over the data that is written into this doubly-allocated memory, the program becomes vulnerable to a buffer overflow attack.

CVE-2018-4990 has been classified to as a Double-free vulnerability or weakness.

Products Associated with CVE-2018-4990

You can be notified by whenever vulnerabilities like CVE-2018-4990 are published in these products:

What versions are vulnerable to CVE-2018-4990?

Each of the following must match for the vulnerability to exist.