Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621
Patch d'urgence: Adobe katsalleh Zero-Day khtir f Acrobat Reader (CVE-2026-34621)
Emergency Patch: Adobe Fixes Critical Acrobat Reader Zero-Day (CVE-2026-34621)
TL;DR
Adobe has released emergency security updates to address CVE-2026-34621, a critical prototype pollution vulnerability in Acrobat and Reader. The flaw, which has been exploited in the wild since potentially December 2025, allows for arbitrary code execution. Users on Windows and macOS are urged to update to the latest versions immediately.
Overview of CVE-2026-34621
Adobe has issued an urgent fix for a critical vulnerability affecting its widely-used Acrobat and Reader software. Identified as CVE-2026-34621, the flaw carries a CVSS score of 8.6 out of 10.0.
The vulnerability is categorized as a prototype pollution issue. This specific type of JavaScript security flaw allows an attacker to manipulate an application's objects and properties. In the context of Adobe Reader, successful exploitation enables an attacker to bypass security boundaries and execute malicious code on the target installation.
Active Exploitation in the Wild
This is not a theoretical risk; Adobe has officially acknowledged that the flaw is being actively exploited. The update follows reports from Haifei Li, security researcher and founder of EXPMON, who disclosed details of zero-day exploitation.
According to researchers, the exploit works by triggering malicious JavaScript code when a user opens a specially crafted PDF document. Evidence suggests that threat actors may have been utilizing this vulnerability as far back as December 2025.
Initially, there was discussion regarding the impact of the bug. While some early assessments suggested a risk of information leaks, Adobe and independent researchers at EXPMON have confirmed that the flaw can indeed lead to arbitrary code execution (ACE).
Technical Details and Score Revision
Following the initial disclosure, Adobe revised its security advisory on April 12, 2026. This revision included two notable changes:
- CVSS Score Adjustment: The score was adjusted from 9.6 down to 8.6.
- Attack Vector: The attack vector was reclassified from "Network" (AV:N) to "Local" (AV:L), reflecting the requirement for a user to interact with a malicious file locally.
Affected Products
The vulnerability impacts both Windows and macOS versions of the following products:
- Acrobat DC / Acrobat Reader DC: Versions 26.001.21367 and earlier.
- Acrobat 2024: Versions 24.001.30356 and earlier.
Mitigation: Required Updates
Adobe has released the following patches to resolve the issue. Users should ensure their software is updated to the following versions (or newer):
| Product | Platform | Fixed Version |
|---|---|---|
| Acrobat DC / Reader DC | Windows & macOS | 26.001.21411 |
| Acrobat 2024 | Windows | 24.001.30362 |
| Acrobat 2024 | macOS | 24.001.30360 |
Conclusion
The discovery of CVE-2026-34621 underscores the ongoing risk posed by malicious PDF documents. Because this flaw allows for arbitrary code execution and is already being leveraged by attackers, immediate patching is the only reliable defense. Administrators and individual users should check their current Adobe version and apply the emergency update to prevent potential system compromise.
Source: https://thehackernews.com/2026/04/adobe-patches-actively-exploited.html
