CVE-2026-48294: Adobe Acrobat PDF Extension Chrome UXSS Lets Attackers Read Cross-Origin Session Data

What CVE-2026-48294 Actually Is

Per the NIST National Vulnerability Database primary source, CVE-2026-48294 affects Adobe Acrobat PDF Extension (Chrome) versions 26.5.2.2 and earlier. The vulnerability is classified CWE-79 (Improper Neutralization of Input During Web Page Generation) plus the disclosure language describes it as UXSS-class cross-origin data disclosure. UXSS stands for Universal Cross-Site Scripting: a class of XSS where the attacker payload executes with privileges that cross the standard same-origin policy boundary. In an extension context, UXSS is particularly dangerous because extensions hold privileged access to web content across origins by design.

The NVD CVSS vector is AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N. Network attack vector, low complexity, no privileges required, user interaction required, scope CHANGED, high confidentiality impact, no integrity or availability impact. The SCOPE CHANGED designation is the load-bearing detail: it tells you that successful exploitation crosses a security boundary that the affected component was supposed to enforce. In this case the boundary is the same-origin policy that browsers use to prevent cross-tab data leakage.

Why This Is a Forensic Investigation Surface

The Sherlock Forensics perspective treats CVE-2026-48294 as a forensic surface for three reasons. First, the Adobe Acrobat PDF Extension is installed automatically when users install Adobe Acrobat Reader plus accept the default Chrome integration prompt. Many enterprise environments have not inventoried the extension because policy documentation tracks desktop Acrobat installations not Chrome extension installations. Second, the extension is invisible to most enterprise PDF-handling controls. Data loss prevention rules that watch desktop Acrobat plus the print spooler do not see traffic flowing through the Chrome extension surface. Third, the SCOPE CHANGED designation means that exploitation does not need any cooperation from the PDF document itself: any malicious URL the victim visits can pull data from any other tab the victim has open while the extension is active.

In an investigation of suspected data exfiltration through a PDF channel, the standard playbook covers desktop Acrobat history, print-queue artifacts plus enterprise mail-attachment logs. CVE-2026-48294 means investigators also need to check Chrome extension inventory at the time of the incident, the extension version, plus Chrome history for any URLs that may have invoked the extension surface. The Sherlock PDF Editor ships as a native desktop application with no browser-extension component, which is the architectural decision that takes the entire UXSS attack surface out of scope for our product line.

Detection: Browser Extension Inventory at Time of Incident

The forensic question is not whether the extension is vulnerable today but whether the extension was vulnerable at the moment of the suspected incident. Chrome stores extension version history in the user profile directory under Default/Extensions plus Default/Preferences. Forensic acquisition of a Chrome profile preserves this information. The relevant extension identifier for Adobe Acrobat PDF Extension is efaidnbmnnnibpcajpcglclefindmkaj per the Adobe-published Chrome Web Store listing. Investigators should grep the Preferences file for that identifier plus correlate the version string against the CVE-2026-48294 affected range (26.5.2.2 and earlier).

A Sigma rule for detecting UXSS-class extension exploitation in browser telemetry needs to focus on the cross-origin read pattern. Browser extension events that read DOM content from origins outside the active tab origin are not normal application behavior. Microsoft Defender for Endpoint, Chronicle plus CrowdStrike Falcon all capture browser extension API calls when configured for that telemetry tier. The Sigma signature looks for extension API calls invoking chrome.tabs.executeScript or chrome.scripting.executeScript against an origin distinct from the active tab origin.

The Browser Extension Attack Surface Is Underweighted

Enterprise endpoint policy tends to treat browser extensions as a productivity concern not a security incident class. The Adobe Acrobat PDF Extension UXSS shows the gap in that model. The extension has cross-origin read capability by design, which means a single UXSS bug elevates the impact to the maximum possible (session cookie theft, cross-tenant data leak, OAuth token disclosure). The same model applies to other PDF-handling extensions, password manager extensions, screen recorder extensions plus any extension that holds origin-spanning permissions.

For forensic investigators, the practical follow-on is straightforward: add Chrome extension inventory snapshots to the incident response triage checklist. The snapshot needs to capture extension identifier, version, install date plus the manifest.json permission set. Future incident investigations involving suspected data exfil through a browser channel will have a faster root cause attribution if the extension snapshot is available alongside the standard timeline artifacts.

What Sherlock Customers Should Do

If your environment uses Adobe Acrobat Reader for PDF viewing, audit the Chrome extension version on every endpoint plus update to a version above 26.5.2.2. If your environment uses the Sherlock PDF Editor as the desktop PDF viewer, you have no exposure to CVE-2026-48294 because the Sherlock product line does not ship a browser-extension component. If you suspect an incident may have involved this surface, Sherlock incident response engagements include the Chrome extension snapshot procedure described above plus we maintain the Sigma signature catalogue for browser extension UXSS detection.

The Sherlock Forensics methodology favours native desktop tooling over browser extension tooling specifically because browser extensions accumulate cross-origin attack surface across their lifetime. CVE-2026-48294 is one example of that pattern; the next disclosure in this class will follow the same shape.