13.04.2026
3 min
193
Adobe has released an urgent security update for Acrobat and Reader to address a critical vulnerability, CVE-2026-34621, that was already being actively exploited in real-world attacks. The issue allowed malicious code to be executed via specially crafted PDF files.
Adobe has rapidly issued an emergency patch for Acrobat Reader, as it’s already being attacked. The issue is identified by CVE-2026-34621 with a CVSS (common vulnerability scoring system) rating of 8.6/10. An attacker who exploits the vulnerability will be able to run arbitrary code on your machine.
Prototype pollution is what caused the bug in acrobat and reader. Prototype pollution occurs when you are able to modify or add to existing internal objects of a program through JavaScript. Therefore, the attacker is allowed to perform arbitrary actions within the application and take control of the process running within the application.
Multiple versions of acrobat and reader have this problem on both Windows and mac os x. Specifically:
Acrobat DC < version 26.001.21367
Acrobat Reader DC < version 26.001.21367
Acrobat 2024 < version 24.001.30356
Adobe has issued updates to fix all versions. Acrobat and reader versions 26.001.21411 were released to correct the issues with Acrobat DC & Reader DC while the Acrobat 2024 issues were fixed separately for each operating system (Windows & mac).
Adobe confirmed there have been attacks using the exploit. However, Adobe did specify that they know of exploitation use outside of the lab environment. It wasn’t until a couple of days after Haifei Li, a security researcher and founder of EXPMON, revealed the details of how he was attacked that we learned about this. He explained that the attackers created special PDF files containing malicious JavaScript that executed immediately upon opening the document in reader.
It seems reasonable to assume that this method has existed since December 2025. So it’s possible that readers may have been vulnerable for several months.
Haifei Li further explained that EXPMON had originally assessed the threat level of this bug differently than Adobe. Originally, EXPMON believed the bug was an information disclosure bug. Once Adobe confirmed that the bug could allow an attacker to run arbitrary code then the threat assessment changed.
“it looks like Adobe now believes the flaw allows for arbitrary code execution — not just information leaks,” EXPMON said. “that is consistent with what we’ve seen in the last few days along with other security researchers.”
In addition to changing its view of the severity of the bug, Adobe also updated some characteristics of the bug itself. In an update to the April advisory, the attack vector was reduced from remote to local which resulted in a lower CVSS score; from 9.6 to 8.6.
Once again, we see that even a common PDF file can provide an entry-point for an attack if it isn’t patched.
