CVE-2008-2992
CVE-2008-2992 is a high-severity vulnerability in Adobe Acrobat with a CVSS 3.x base score of 7.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-03-03). The underlying weakness is classified as CWE-787.
Key facts
- Severity: High (CVSS 3.x base score 7.8)
- CVSS v2: 9.3
- EPSS exploit prediction: 98% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-03-03)
- EU (EUVD) id: EUVD-2008-2982
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-03-03)
- Weakness: CWE-787
- Affected product: Adobe Acrobat
- Published:
- Last modified:
Description
Stack-based buffer overflow in Adobe Acrobat and Reader 8.1.2 and earlier allows remote attackers to execute arbitrary code via a PDF file that calls the util.printf JavaScript function with a crafted format string argument, a related issue to CVE-2008-1104.
CVE-2008-2992: Adobe Acrobat/Reader util.printf Stack-Based Buffer Overflow
AI-generated analysis based on the vulnerability data on this page.
| CVE | CVE-2008-2992 |
| CVSS v2 | 9.3 (Critical) — AV:N/AC:M/Au:N/C:C/I:C/A:C |
| CVSS v3 | 7.8 (High) — AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| EPSS | 0.98482 (99.9th percentile) |
| CWE | CWE-787 — Out-of-bounds Write |
| CISA KEV | Added 2022-03-03 |
| EU Exploited | Yes (since 2022-03-03) |
Summary
A stack-based buffer overflow in Adobe Acrobat and Reader 8.1.2 and earlier allows remote attackers to execute arbitrary code via a PDF file that calls the util.printf JavaScript function with a crafted format string argument. This vulnerability is related to CVE-2008-1104.
Background
Adobe Acrobat and Reader have long supported JavaScript execution within PDF documents via the util object, which provides utility functions for document processing. The util.printf function is intended to format strings similarly to C-style printf. In versions 8.1.2 and earlier, this function lacked proper bounds checking when processing user-supplied format strings, creating a classic stack-based buffer overflow condition. PDF-based attacks were a prevalent delivery mechanism during this era, often distributed via email or malicious websites.
Root Cause
The vulnerability is classified as CWE-787 (Out-of-bounds Write). The root cause lies in the implementation of util.printf within Adobe's JavaScript engine for PDF processing. When parsing a format string containing width specifiers or other directives, the function writes to a fixed-size stack buffer without adequately validating the length of the resulting formatted output. A malicious PDF can supply an oversized or specially crafted format string that exceeds the allocated buffer, overwriting adjacent stack memory including saved return addresses. This is a direct consequence of unsafe string formatting inherited from C-style printf semantics without modern bounds-checking mitigations.
Impact
Tied to the CVSS metrics, the impact is severe and comprehensive:
- CVSS v2 (9.3): Network-accessible, medium complexity, no authentication required, leading to complete confidentiality, integrity, and availability loss.
- CVSS v3 (7.8): While the attack vector is local (requires opening a file), the local scope still results in High impacts across confidentiality, integrity, and availability due to the arbitrary code execution potential.
- EPSS: At 0.98482 with a 99.9th percentile ranking, this vulnerability is among the most likely to be exploited in the wild.
- CISA KEV & EU Exploited: Inclusion in both catalogs confirms active, real-world exploitation, including potential ransomware usage.
Successful exploitation typically results in full compromise of the user session with the privileges of the logged-in user.
Exploitation Walkthrough
Ethics caveat: This section describes the defensive understanding of exploitation mechanics. No weaponized code is provided. Organizations should use this knowledge to improve detection and hardening, not to attack systems without authorization.
The attack proceeds as follows:
- Delivery: An attacker crafts a malicious PDF document embedding JavaScript that invokes
util.printfwith a malformed format string argument (e.g., an extremely long width specifier). - Trigger: The victim opens the PDF in a vulnerable version of Adobe Acrobat or Reader. The embedded JavaScript executes automatically if scripting is enabled.
- Overflow: The
util.printffunction copies the attacker-controlled string into a fixed-size stack buffer, overwriting the return address or Structured Exception Handler (SEH) chain. - Code execution: On x86 Windows systems of the era, this often enabled straightforward return-oriented or direct shellcode execution due to the absence of modern mitigations like ASLR and DEP in early Adobe Reader versions.
Defensive teams should note that PDF documents with embedded JavaScript, particularly those invoking util.printf, should be treated as suspicious in historical threat intelligence feeds.
Affected and Patched Versions
- Affected: Adobe Acrobat and Reader 8.1.2 and earlier
- Also affected: Oracle Solaris 10 (as a host platform for the vulnerable software)
- Patched: Versions released after Adobe Security Bulletin APSB08-19 (November 2008); users were advised to upgrade to Adobe Reader 9.x or apply the specific 8.1.3 security update. Exact patch release details should be verified against vendor advisories.
Remediation
- Upgrade: Update Adobe Acrobat and Reader to the latest supported versions. Adobe ended support for the 8.x branch long ago; modern environments should run current releases (2024/2025 era) which are not vulnerable to this issue.
- Disable JavaScript in PDF readers: In high-security environments, disable JavaScript execution within Acrobat/Reader settings to eliminate an entire class of PDF-based attacks.
- Compensating controls:
- Use application sandboxing or virtualization for opening untrusted PDFs.
- Deploy email filtering to block PDF attachments from untrusted sources.
- Maintain endpoint protection with behavioral detection for PDF-launched processes.
- Apply operating system-level mitigations (ASLR, DEP/NX, Control Flow Guard) to limit exploit reliability on legacy software that cannot be upgraded.
Detection
- Network: Monitor for email or web traffic delivering PDFs containing
util.printfJavaScript calls. Historic IDS signatures exist for this exploit family. - Endpoint: Behavioral detection focusing on Adobe Reader spawning unexpected child processes (e.g.,
cmd.exe, PowerShell, or network connections) after opening a PDF. - File analysis: Static analysis of PDF documents for JavaScript streams containing
util.printfwith abnormally large numeric arguments or format strings. - Threat intelligence: Correlate any detections with CISA KEV and EU exploited-vulnerability databases for prioritization.
Assessment
This vulnerability remains a textbook case of format-string-related buffer overflow in client-side software. Its EPSS score of 0.98482 and confirmed presence in the CISA KEV catalog underscore that it was actively exploited for years and retains relevance in legacy environments. Two key lessons:
- Client-side software is high-value attack surface: PDF readers, browsers, and office suites process untrusted external input and must be hardened with robust memory safety and bounds checking.
- Legacy software persists: Even vulnerabilities from 2008 continue to pose risks where outdated systems remain in production. Organizations should prioritize visibility into end-of-life software and enforce upgrade policies.
References
- http://www.adobe.com/support/security/bulletins/apsb08-19.html
- http://www.kb.cert.org/vuls/id/593409
- http://www.coresecurity.com/content/adobe-reader-buffer-overflow
- http://www.zerodayinitiative.com/advisories/ZDI-08-072/
- http://www.redhat.com/support/errata/RHSA-2008-0974.html
- http://www.us-cert.gov/cas/techalerts/TA08-309A.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2008-2992
- https://www.exploit-db.com/exploits/6994
- https://www.exploit-db.com/exploits/7006
Frequently asked questions
- What is CVE-2008-2992?
- Stack-based buffer overflow in Adobe Acrobat and Reader 8.1.2 and earlier allows remote attackers to execute arbitrary code via a PDF file that calls the util.printf JavaScript function with a crafted format string argument, a related issue to CVE-2008-1104.
- How severe is CVE-2008-2992?
- CVE-2008-2992 has a CVSS 3.x base score of 7.8, rated high severity. It is exploitable over local access with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2008-2992 being actively exploited?
- Yes. CVE-2008-2992 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-03-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2008-2992?
- CVE-2008-2992 primarily affects Adobe Acrobat. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2008-2992?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2008-2992 have an EU (EUVD) identifier?
- Yes. CVE-2008-2992 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2008-2982. It is also flagged as exploited in the EUVD (since 2022-03-03).
- When was CVE-2008-2992 published?
- CVE-2008-2992 was published on 2008-11-04 and last updated on 2026-06-16.
References
- http://download.oracle.com/sunalerts/1019937.1.html
- http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00002.html
- http://osvdb.org/49520
- http://secunia.com/advisories/29773
- http://secunia.com/advisories/32700
- http://secunia.com/advisories/32872
- http://secunia.com/advisories/35163
- http://secunia.com/secunia_research/2008-14/
- http://securityreason.com/securityalert/4549
- http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=800801
- http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=909609
- http://www.adobe.com/support/security/bulletins/apsb08-19.html
- http://www.coresecurity.com/content/adobe-reader-buffer-overflow
- http://www.kb.cert.org/vuls/id/593409
- http://www.redhat.com/support/errata/RHSA-2008-0974.html
- http://www.securityfocus.com/archive/1/498027/100/0/threaded
- http://www.securityfocus.com/archive/1/498032/100/0/threaded
- http://www.securityfocus.com/archive/1/498055/100/0/threaded
- http://www.securityfocus.com/bid/30035
- http://www.securityfocus.com/bid/32091
- http://www.securitytracker.com/id?1021140
- http://www.us-cert.gov/cas/techalerts/TA08-309A.html
- http://www.vupen.com/english/advisories/2008/3001
- http://www.vupen.com/english/advisories/2009/0098
- http://www.zerodayinitiative.com/advisories/ZDI-08-072/
- https://www.exploit-db.com/exploits/6994
- https://www.exploit-db.com/exploits/7006
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2008-2992
Affected products (3)
- cpe:2.3:a:adobe:acrobat:*:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:acrobat_reader:*:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:solaris:10:*:*:*:*:*:*:*
More vulnerabilities in Adobe Acrobat
- CVE-2018-4872 — Critical (CVSS 10.0): An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and earlier versions, 2017.011.30070 and earlier…
- CVE-2016-1044 — Critical (CVSS 10.0): Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC Classic before 15.006.30172, and Acrobat and…
- CVE-2016-1041 — Critical (CVSS 10.0): Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC Classic before 15.006.30172, and Acrobat and…
- CVE-2016-1038 — Critical (CVSS 10.0): Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC Classic before 15.006.30172, and Acrobat and…
- CVE-2015-7622 — Critical (CVSS 10.0): Adobe Reader and Acrobat 10.x before 10.1.16 and 11.x before 11.0.13, Acrobat and Acrobat Reader DC Classic before…
- CVE-2015-6691 — Critical (CVSS 10.0): Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 10.1.16 and 11.x before 11.0.13, Acrobat and…
All CVEs affecting Adobe Acrobat →
Other CWE-787 (Out-of-bounds Write) vulnerabilities
- CVE-2026-42369 — Critical (CVSS 10.0): GV-VMS V20 is a Video Monitoring Software used to gather the feeds of many surveillance cameras and manage other…
- CVE-2026-4746 — Critical (CVSS 10.0): Out-of-bounds Write vulnerability in timeplus-io proton (base/poco/Foundation/src modules). This vulnerability is…
- CVE-2025-43300 — Critical (CVSS 10.0): An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.8.5 and iPadOS…
- CVE-2025-24201 — Critical (CVSS 10.0): An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in…
- CVE-2024-42479 — Critical (CVSS 10.0): llama.cpp provides LLM inference in C/C++. The unsafe `data` pointer member in the `rpc_tensor` structure can cause…
- CVE-2024-39791 — Critical (CVSS 10.0): Stack-based buffer overflow vulnerabilities affecting Vonets industrial wifi bridge relays and wifi bridge…