Adobe Fixes Critical Acrobat Reader Vulnerability CVE-2026-34621
Adobe has recently deployed urgent updates to address a significant security vulnerability in Acrobat Reader. This flaw, identified as CVE-2026-34621, is currently being exploited actively by cybercriminals. It has a crucial CVSS score of 8.6 out of 10.0, indicating its severity.
Details of the Vulnerability CVE-2026-34621
The vulnerability relates to a type of flaw known as prototype pollution. This security issue allows attackers to manipulate the objects and properties of a JavaScript application, enabling them to execute arbitrary code.
Impacted Products and Versions
The security flaw affects several versions of Adobe products across both Windows and macOS platforms:
- Acrobat DC versions 26.001.21367 and earlier (fixed in 26.001.21411)
- Acrobat Reader DC versions 26.001.21367 and earlier (fixed in 26.001.21411)
- Acrobat 2024 versions 24.001.30356 and earlier (fixed in 24.001.30362 for Windows and 24.001.30360 for macOS)
Active Exploitation and Research Insights
Adobe is aware that CVE-2026-34621 is being actively exploited. Recent reports from cybersecurity experts, including EXPMON founder Haifei Li, revealed details on the zero-day exploitation. Attackers can execute malicious JavaScript by opening specially crafted PDF documents in Adobe Reader.
Evidence suggests that this vulnerability may have been exploited since December 2025. EXPMON highlighted that Adobe has acknowledged the potential for arbitrary code execution rather than mere information leaks. This revelation aligns with findings from other researchers in recent days.
Adobe’s Response
Following the reports, Adobe first published an advisory on April 12, 2026, updating the CVSS score due to changing insights on the vulnerability’s impact. The attack vector was also changed from Network (AV:N) to Local (AV:L).
Users of affected Adobe products are strongly encouraged to update their software promptly to protect against potential attacks leveraging this critical vulnerability.
