CVE-2023-21608: 
Adobe Acrobat Reader Continuous vulnerability analysis and mitigation

Adobe Acrobat Reader versions 22.003.20282 (and earlier), 22.003.20281 (and earlier) and 20.005.30418 (and earlier) are affected by a Use After Free vulnerability (CVE-2023-21608) that was discovered in January 2023. The vulnerability was identified by security researchers Ashfaq Ansari and Krishnakant Patil from HackSys Inc, working with Trend Micro Zero Day Initiative. This high-severity vulnerability could result in arbitrary code execution in the context of the current user, requiring user interaction through opening a malicious file (Adobe Advisory, NVD).

The vulnerability is classified as a Use After Free (CWE-416) issue that specifically exists within the resetForm method. The flaw stems from the lack of validation for object existence prior to performing operations on the object. It received a CVSS v3.1 base score of 7.8 (HIGH), with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD, Security Online).

When successfully exploited, the vulnerability allows attackers to execute arbitrary code with the privileges of the current user or cause the application to crash. The impact affects multiple versions of Adobe Acrobat and Reader products, including Acrobat DC, Acrobat Reader DC, Acrobat 2020, and Acrobat Reader 2020 (Hacker News).

Adobe released patches for the vulnerability in January 2023. The fixed versions are: Acrobat DC version 22.003.20310, Acrobat Reader DC version 22.003.20310, Acrobat 2020 version 20.005.30436, and Acrobat Reader 2020 version 20.005.30436. Federal Civilian Executive Branch (FCEB) agencies were required to apply the vendor-provided patches by October 31, 2023 (Hacker News).