Parser vulnerabilities in common software packages such as Adobe Acrobat Reader pose a significant security risk to large portions of the internet. The fact that these software packages typically have a large footprints often gives attackers a broad attack surface they can potentially leverage for malicious purposes. Thus, identifying vulnerabilities and responsibly disclosing them is critical to eliminating attack vectors that may otherwise be exploited.

Today, Talos is disclosing a vulnerability that has been identified in Adobe Acrobat Reader DC. The vulnerability, if exploited, could lead to arbitrary code execution on affected devices. As part of the coordinated effort to responsibly disclose the vulnerability, Adobe has released a software update that addresses the vulnerability. Additionally, Talos has developed Snort rules that detect attempts to exploit the flaw.

Vulnerability Details

This vulnerability was identified by Aleksandar Nikolic of Talos.

TALOS-2017-0361 / CVE-2017-11263 is an arbitrary code execution vulnerability in Adobe Acrobat Reader DC that manifests as a parser confusion vulnerability in the AcroForm parsing functionality. A specifically crafted PDF document designed to trigger this vulnerability could cause the parser to enter an unintended state. As a result, an attacker could abuse an unchecked pointer in memory to access or overwrite arbitrary memory inside the process. This could ultimately lead to arbitrary code execution.

The vulnerability could be leveraged in the context of a social engineering attack, where an attacker sends the intended victim an email containing a malicious PDF.


Talos has developed the following Snort rules to detect attempts to exploit the vulnerability. Note that these rules are subject to change pending additional vulnerability information. For the most current information, please visit your Firepower Management Center or

Snort Rules:

  • 43167-43168

For other vulnerabilities Talos has disclosed, please refer to our Vulnerability Report Portal:

To review our Vulnerability Disclosure Policy, please visit this site: