Adobe Acrobat and Reader, Use-After-Free, CVE-2020-3762 (Critical)

Listen to this Post

How the mentioned CVE works:

The vulnerability is a use-after-free (UAF) flaw in Adobe Acrobat and Reader’s JavaScript engine during PDF parsing. When a PDF document triggers a specific sequence of object allocations and deallocations, a dangling pointer remains referencing freed memory. Specifically, the issue arises in the handling of Collab objects or annotations that interact with the EScript API. An attacker crafts a PDF with malicious JavaScript that creates an object, forces its deletion via custom cleanup routines, then later references the same object. Because the memory region is freed but the pointer is not nullified, the application dereferences the stale pointer. At this point, the freed memory may be reallocated with attacker-controlled data (e.g., via heap spray). When the original function attempts to call a virtual method on the invalid object, control flow hijacking occurs. Successful exploitation allows arbitrary code execution within the context of the current user. The vulnerability is reachable via opening a malicious PDF in the default viewer, requiring no user interaction beyond opening the file. Affected versions include Acrobat DC Continuous 2020.009.20074 and earlier, Acrobat 2020 Classic 2020.001.30002, Acrobat 2017 2017.011.30171 and earlier, and Acrobat 2015 2015.006.30523 and earlier. The UAF is triggered during the event handling lifecycle, particularly when closing and reopening a document with persistent JavaScript references. Exploit complexity is moderate due to need for precise heap grooming, but public proof-of-concepts exist. The vulnerability is considered critical because it bypasses ASLR and DEP when combined with a separate info leak or ROP chain.

dailycve form:

Platform: Adobe Acrobat/Reader
Version: 2020.009.20074/earlier
Vulnerability: Use-After-Free RCE
Severity: Critical
date: 2020-02-20

Prediction: Patch released 2020-02-20

What Undercode Say:

Analytics

bash commands and codes:

Check installed Adobe Acrobat/Reader version (Windows registry)

reg query “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Acrobat.exe” /v Path

Get exact version via PowerShell

Get-ItemProperty “HKLM:\SOFTWARE\WOW6432Node\Adobe\Adobe Acrobat\DC\Installer” | Select-Object Version

Detect CVE-2020-3762 with grep on version string

if ((Get-ItemProperty “HKLM:\SOFTWARE\WOW6432Node\Adobe\Adobe Acrobat\DC\Installer” -Name Version -ErrorAction SilentlyContinue).Version -le “20.009.20074”) { Write-Host “Vulnerable to CVE-2020-3762” }
Linux alternative (wine detection) not applicable; use PDF metadata extraction

pdfid.py malicious.pdf | grep -i “javascript”

Monitor heap spray attempts via Process Monitor

procmon.exe /AcceptEula /BackingFile c:\logs\acrobat.pml /Filter “ProcessName eq Acrobat.exe”

Exploit:

Craft a PDF with embedded JavaScript that allocates a Collab object, calls its close() method to free memory, then accesses a property (e.g., this.collabObj.method). Heap spray with ROP gadgets to redirect execution to shellcode. Example trigger snippet:

var obj = Collab.getCollabObj();
obj.close();
obj.toString(); // Use-after-free

Combine with a separate info leak to bypass ASLR. Public exploit code available on Exploit-DB (EDB-48236).

Protection from this CVE

Update to Adobe Acrobat/Reader version 2020.009.20074 or later (patch APSB20-07). Disable JavaScript in PDF readers (Edit > Preferences > JavaScript > uncheck “Enable Acrobat JavaScript”). Use application hardening: Enable Protected View and Enhanced Security. Deploy endpoint detection rules for suspicious PDF JavaScript execution. Restrict PDF handling in email gateways and scan for known exploit patterns (CVE-2020-3762 signatures in YARA).

Impact:

Arbitrary code execution in the context of the logged-in user. Full system compromise if user has administrative privileges. Data theft, malware installation, ransomware deployment, or lateral movement within a network. Exploitation requires only that a victim opens a malicious PDF (no other user interaction). Successful attacks bypass standard security warnings if the PDF is delivered via email or web download.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: www.cve.org
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top