HighCISA KEVExploited in the wildPublic exploit

Adobe Reader and Acrobat CoolType.dll SING Table Buffer Overflow

IdentifiersCVE-2010-2883CWE-121

CVE-2010-2883 is a stack-based buffer overflow in CoolType.dll, the font parsing component used by Adobe Reader and Adobe Acrobat. The flaw affects Adobe Reader and Acrobat 9.x before 9.4 and 8.x before 8.2.5 on Windows and Mac OS X. The vulnerability is triggered when the application parses a malformed TrueType font embedded in a PDF document, specifically a long field in a Smart INdependent Glyphlets (SING) table. A specially crafted PDF can corrupt stack memory during font processing, leading to application crash or arbitrary code execution. The vulnerability was reported as exploited in the wild in September 2010.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can allow a remote attacker to execute arbitrary code in the security context of the user opening the malicious PDF. In practical terms, this can result in full compromise of the affected workstation, including malware installation, data theft, and follow-on access using the victim's privileges. If code execution is not achieved, the flaw can still be used to cause a denial of service via application crash.

Mitigation

If you can’t patch tonight, do this now.

Until patching is completed, avoid opening untrusted or unsolicited PDF files. Disable PDF rendering in web browsers and prevent Internet Explorer or other browsers from automatically opening PDF documents. Disable JavaScript in Adobe Reader and Acrobat where operationally feasible. Use exploit mitigations such as Microsoft's EMET on supported Windows systems to reduce exploit reliability.

Remediation

Patch, then assume compromise.

Upgrade Adobe Reader and Adobe Acrobat to a fixed release: 9.4 or later for the 9.x branch, or 8.2.5 or later for the 8.x branch. Applying Adobe's security update for APSB10-21 remediates the vulnerable CoolType.dll font parsing condition.

PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 1 / 1 TOTALView more in app

CVE-2010-2883MaturityPoCFrameworkmetasploitVerified exploit

This repository contains a Metasploit exploit module targeting CVE-2010-2883, a stack buffer overflow in the SING table handling of Adobe Reader (versions 8.2.4 and 9.3.4, Windows). The main file, 'adobe_cooltype_sing_EMETBypass_calc.rb', is a Ruby Metasploit module that generates a malicious PDF file ('msf.pdf') containing a specially crafted TrueType font ('cve-2010-2883.ttf') to trigger the vulnerability. The exploit uses advanced techniques such as heap spraying, ROP chains, and bypasses for DEP/ASLR/EMET mitigations. The payload, defined in 'msf_calc_EMETBypass_payload.asm', is custom shellcode that launches calc.exe, demonstrating arbitrary code execution. The exploit is operational and demonstrates a real-world attack chain, but the payload is hardcoded (calc.exe). The repository is structured with a README, the main Metasploit module, and the assembly payload. No network endpoints are present; the attack vector is a malicious file (PDF) opened by the victim.

avielzechariaDisclosed Sep 22, 2025rubyassemblyfile

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

AdobeAcrobatapplication

AdobeAcrobat Readerapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

socradar blogNews

Feb 20, 2026

Dark Web Profile: Lotus Blossom

An Adobe Acrobat/Reader font processing vulnerability exploited via malicious PDFs for code execution in early Lotus Blossom targeting.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence1

Every observed campaign linking this CVE to a named adversary.

Associated malware1

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2010-2883

NVD

nvd.nist.gov/vuln/detail/CVE-2010-2883

MITRE CWE · CWE-121

cwe.mitre.org

Vendor Advisory

adobe.com/support/security/advisories/apsa10-02.html

Vendor Advisory

adobe.com/support/security/bulletins/apsb10-21.html

Third Party Advisory

security.gentoo.org/glsa/glsa-201101-08.xml

Third Party Advisory

kb.cert.org/vuls/id/491991

Third Party Advisory

us-cert.gov/cas/techalerts/TA10-279A.html

Third Party Advisory

exchange.xforce.ibmcloud.com/vulnerabilities/61635

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2010-2883