CVE-2021-28550

ENISA EUVD: EUVD-2021-15226 ↗

Exploited in the Wild ✓ Confirmed 0-Day ★ Google Project Zero

Triaged: March 3, 2026 4 articles Published: 2021-09-02

VulnLookup ↗ NVD ↗ EUVD ↗ MITRE ↗ Advisory ↗ P0 Sheet ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-23

30.72%

probability

This CVE has a 30.72% probability of being exploited in the next 30 days.

0% Top 96.8th percentile of all CVEs 100%

CVSS v3.0

Source: VulnerabilityLookup (CIRCL)

9.6

CRITICAL

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CVSS v2 (legacy)

6.8

MEDIUM

Access Vector

Network

Access Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

Description

VulnerabilityLookup (CNA)

Acrobat Reader DC versions versions 2021.001.20150 (and earlier), 2020.001.30020 (and earlier) and 2017.011.30194 (and earlier) are affected by a Use After Free vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Affected Products

Adobe

Acrobat Reader

unspecified unspecified unspecified unspecified

adobe

acrobat dc

adobe

acrobat reader dc

adobe

acrobat

adobe

acrobat reader

Adobe

Acrobat Reader

unspecified ≤2021.001.20150

Adobe

Acrobat Reader

unspecified ≤None

Adobe

Acrobat Reader

unspecified ≤2020.001.30020

Adobe

Acrobat Reader

unspecified ≤2017.011.30194

Attack Intelligence

CWE-118 · Incorrect Access of Indexable Resource ('Range Error') CWE-119 · Buffer Overflow CWE-416 · Use After Free CWE-664 · Improper Control of a Resource Through its Lifetime CWE-666 · Operation on Resource in Wrong Phase of Lifetime CWE-672 · Operation on a Resource after Expiration or Release CWE-825 · Expired Pointer Dereference

Google Project Zero

Patched

May 11, 2021

Reported by

???

Root Cause Analysis

???

https://helpx.adobe.com/security/products/acrobat/apsb21-29.html

Signal Intelligence

Confidenceⓘ

92%

EPSS 30.72%

CVSS v3.0 9.6

Mentions 4

Last Seen Nov 09, 2021

CNA Information

CNA Assigner

adobe

CNA Title

Adobe Acrobat Reader use after free vulnerability could lead to arbitrary code execution

Analyst Note

CVE-2021-28550 is confirmed as a critical use-after-free vulnerability in Adobe Acrobat Reader with CVSS 9.6, affecting multiple widely-deployed versions and requiring only user interaction for exploitation. The classification is strongly supported by official Adobe advisories, coverage in CERT-EU security guidance, and inclusion in Google Project Zero tracking, demonstrating widespread awareness and validation within the security community.

Triage Info

Decided atMar 03, 2026

Published DateSep 02, 2021