Adobe Acrobat Reader Base URI Unicode String Heap Buffer Overflow Vulnerability


A heap buffer overflow vulnerability exists in the IA32.api module of Adobe Acrobat and Acrobat Reader DC. Upon parsing a specially crafted PDF document containing URI entries with URI dictionaries and a specially crafted base URL defined with raw Unicode strings can trigger the vulnerability to achieve remote code execution.

Vulnerability Identifiers

  • Exodus Intelligence: EIP-47ea5148
  • MITRE CVE: CVE-2021-39863

Vulnerability Metrics

  • CVSSv2 Score: 8.8

Vendor References

Discovery Credit

  • Exodus Intelligence

Disclosure Timeline

  • Disclosed to affected vendor: June 28th, 2021
  • Disclosed to public: September 14th, 2021

Further Information

Readers of this advisory who are interested in receiving further details around the vulnerability, mitigations, detection guidance, and more can contact us at

Researchers who are interested in monetizing their 0Day and NDay can work with us through our Research Sponsorship Program.