SAN JOSE, California, April 14, 2026, 10:12 AM PDT
Adobe has rolled out an emergency patch for Acrobat and Reader after attackers exploited a PDF flaw for months, issuing fixes for Windows and macOS software and acknowledging active abuse of CVE-2026-34621. The update covers Acrobat DC, Acrobat Reader DC and Acrobat 2024.
The timing matters because U.S. authorities have now escalated the issue. NVD shows the flaw was added to CISA’s Known Exploited Vulnerabilities catalog on April 13, giving federal civilian agencies until April 27 to patch; a zero-day is a flaw attackers exploit before a patch is available, and in this case the victim only had to open a malicious file.
Adobe has described the issue as prototype pollution, a JavaScript weakness that lets attackers tamper with how software objects behave and can end in arbitrary code execution. The fixed versions are Acrobat DC and Reader DC 26.001.21411, plus Acrobat 2024 version 24.001.30362 on Windows and 24.001.30360 on macOS; Adobe also cut the CVSS score to 8.6 from 9.6 after reclassifying the attack vector as local rather than network-based.
The bug surfaced after security researcher Haifei Li, founder of EXPMON, analyzed a malicious PDF sample submitted to his platform on March 26. Li later wrote that another variant first appeared on VirusTotal on November 28, 2025, suggesting the campaign had been running for at least four months, and TechCrunch reported another copy of the weaponized file turned up there in late November.
Li said the booby-trapped PDF “works on the latest version of Adobe Reader” and can do more than steal local data. It can set up remote code execution, which means running malware on the victim’s device, and a sandbox escape, or breaking out of the app’s security container, if a target meets the attacker’s conditions. TechRadar
Sophos said the lures looked targeted rather than broad, opportunistic attacks, with Russian-language documents tied to current events in Russia’s oil and gas sector. That points to a narrower campaign, not a spray-and-pray run.
Adobe also competes with other PDF software providers. Foxit markets its editor as an alternative to Acrobat, while Nitro sells PDF tools to business users, but Qualys described Adobe Reader as a free, widely used application, a mix that helps explain why attackers keep returning to it.
The main risk now is what organizations may have missed before the patch landed. SecurityWeek reported that Li saw the sample as a fingerprinting stage that could feed into remote code execution or a sandbox escape, and he warned that Adobe’s lower score “does not reduce the urgency” of patching; Tenable separately flagged the bug as a vulnerability of interest and urged users to apply the update as soon as possible. SecurityWeek
