CVE-2022-28256: Adobe Acrobat Reader DC Annotation Use-After-Free Information Disclosure Vulnerability
First published: Wed May 11 2022(Updated: )
Acrobat Reader DC version 22.001.2011x (and earlier), 20.005.3033x (and earlier) and 17.012.3022x (and earlier) are affected by a use-after-free vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Credit: psirt@adobe.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Adobe Acrobat Reader DC | >=15.008.20082<=22.001.20085 | |
| Adobe Acrobat Reader | >=15.008.20082<=22.001.20085 | |
| macOS | ||
| Microsoft Windows Operating System | ||
| Adobe Acrobat Reader | >=17.011.30059<=17.012.30205 | |
| Adobe Acrobat Reader Notification Manager | >=17.011.30059<=17.012.30205 | |
| Adobe Acrobat Reader | >=20.001.30005<=20.005.30314 | |
| Adobe Acrobat Reader Notification Manager | >=20.001.30005<=20.005.30314 | |
| Adobe Acrobat Reader | >=20.001.30005<=20.005.30311 | |
| Adobe Acrobat Reader Notification Manager | >=20.001.30005<=20.005.30311 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2022-28256?
CVE-2022-28256 is considered critical due to its potential to lead to sensitive memory disclosure.
How do I fix CVE-2022-28256?
To address CVE-2022-28256, update Adobe Acrobat Reader DC to the latest version released by Adobe.
Which versions are affected by CVE-2022-28256?
CVE-2022-28256 affects Adobe Acrobat Reader DC versions 22.001.2011 and earlier, 20.005.3033 and earlier, as well as 17.012.3022 and earlier.
What type of vulnerability is CVE-2022-28256?
CVE-2022-28256 is a use-after-free vulnerability that can be exploited to disclose sensitive information.
Can CVE-2022-28256 be exploited remotely?
Yes, CVE-2022-28256 can be leveraged by an attacker to exploit the vulnerability remotely.
- agent/type
- agent/weakness
- agent/author
- agent/references
- agent/description
- agent/severity
- agent/title
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/adobe
- canonical/adobe acrobat reader dc
- version/adobe acrobat reader dc/15.008.20082
- version/adobe acrobat reader dc/22.001.20085
- canonical/adobe acrobat reader
- version/adobe acrobat reader/15.008.20082
- version/adobe acrobat reader/22.001.20085
- vendor/apple
- canonical/macos
- vendor/microsoft
- canonical/microsoft windows operating system
- version/adobe acrobat reader/17.011.30059
- version/adobe acrobat reader/17.012.30205
- canonical/adobe acrobat reader notification manager
- version/adobe acrobat reader notification manager/17.011.30059
- version/adobe acrobat reader notification manager/17.012.30205
- version/adobe acrobat reader/20.001.30005
- version/adobe acrobat reader/20.005.30314
- version/adobe acrobat reader notification manager/20.001.30005
- version/adobe acrobat reader notification manager/20.005.30314
- version/adobe acrobat reader/20.005.30311
- version/adobe acrobat reader notification manager/20.005.30311