CVE-2018-4904

high-risk

Published 2018-02-27

An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and earlier versions, 2017.011.30070 and earlier versions, 2015.006.30394 and earlier versions. This vulnerability is an instance of a heap overflow vulnerability. The vulnerability is triggered by crafted TIFF data within an XPS file, which causes an out of bounds memory access. An attacker can potentially leverage the vulnerability to corrupt sensitive data or execute arbitrary code.

Do I need to act?

5.2% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.8/10 High

NETWORK / LOW complexity

Affected Products (6)

Acrobat

Acrobat Dc

Acrobat Reader

Acrobat Reader Dc

Affected Vendors

Adobe

References (7)

Third Party Advisory http://www.securityfocus.com/bid/102992

Third Party Advisory http://www.securitytracker.com/id/1040364

Vendor Advisory https://helpx.adobe.com/security/products/acrobat/apsb18-02.html

Third Party Advisory https://www.zerodayinitiative.com/advisories/ZDI-18-170/

Third Party Advisory http://www.securityfocus.com/bid/102992

Third Party Advisory http://www.securitytracker.com/id/1040364

Vendor Advisory https://helpx.adobe.com/security/products/acrobat/apsb18-02.html

/ 100

high-risk

Severity 30/34 · Critical

Exploitability 8/34 · Low

Exposure 13/34 · Low