SAN JOSE, California, April 14, 2026, 10:12 AM PDT
Adobe rushed out an emergency fix for Acrobat and Reader, responding to months of real-world attacks leveraging a vulnerability in PDF handling. The company confirmed ongoing exploitation of CVE-2026-34621, releasing patches for Windows and macOS versions. The update applies to Acrobat DC, Acrobat Reader DC, and Acrobat 2024.
The timing is key here—U.S. officials have stepped things up. The flaw landed in CISA’s Known Exploited Vulnerabilities catalog on April 13, according to NVD, so federal civilian agencies face an April 27 deadline to patch. This one’s a zero-day: attackers were able to strike before a fix existed, and all it took was the victim opening a malicious file.
Adobe is calling it prototype pollution—a JavaScript flaw that lets attackers mess with object behavior and possibly run code. Fixes landed in Acrobat DC and Reader DC 26.001.21411, Acrobat 2024 version 24.001.30362 for Windows, and 24.001.30360 for macOS. The company dropped the CVSS score to 8.6, down from 9.6, after shifting the attack vector classification to local instead of network.
Security researcher Haifei Li, who heads EXPMON, spotted the bug while examining a malicious PDF uploaded to his platform on March 26. Li later pointed out that a separate version had actually landed on VirusTotal as early as November 28, 2025, implying the campaign had been live for at least four months. TechCrunch also found another instance of the infected file on VirusTotal in late November.
Li noted the booby-trapped PDF “works on the latest version of Adobe Reader” and isn’t just grabbing local data. The exploit is capable of remote code execution—letting attackers run malware on a target’s machine—and can pull off a sandbox escape, breaking out of the app’s security boundaries if the victim fits the attacker’s criteria. TechRadar
Sophos described the lures as targeted, not the usual broad or opportunistic attacks. The documents, written in Russian and referencing recent developments in Russia’s oil and gas industry, suggest a focused operation. This doesn’t look like a random, wide-scope campaign.
Adobe has rivals in the PDF software space. Foxit pitches its editor as a substitute for Acrobat, and Nitro targets business customers with its own PDF offerings. Still, Qualys points out that Adobe Reader remains a free and heavily used product—making it an ongoing target for attackers.
The biggest concern at this point: what organizations might have overlooked ahead of the patch. SecurityWeek noted Li’s take—the sample looked like fingerprinting and could set the stage for remote code execution or a sandbox escape. Li also pointed out that Adobe’s lower severity rating “does not reduce the urgency” to patch. Tenable, for its part, tagged the flaw as noteworthy and pushed users to get the update in place quickly. SecurityWeek
