Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621
Ravie LakshmananApr 12, 2026Vulnerability / Endpoint Security
Adobe has released emergency updates to fix a critical security flaw in Acrobat Reader that has come under active exploitation in the wild.
The vulnerability, assigned the CVE identifier CVE-2026-34621, carries a CVSS score of 8.6 out of 10.0. Successful exploitation of the flaw could allow an attacker to run malicious code on affected installations.
It has been described as a case of prototype pollution that could result in arbitrary code execution. Prototype pollution refers to a JavaScript security vulnerability that permits an attacker to manipulate an application's objects and properties.
The issue impacts the following products and versions for both Windows and macOS -
Acrobat DC versions 26.001.21367 and earlier (Fixed in 26.001.21411)
Acrobat Reader DC versions 26.001.21367 and earlier (Fixed in 26.001.21411)
Acrobat 2024 versions 24.001.30356 and earlier (Fixed in 24.001.30362 for Windows and 24.001.30360 for macOS)
Adobe acknowledged that it's "aware of CVE-2026-34621 being exploited in the wild."
The development comes days after security researcher and EXPMON founder Haifei Li disclosed details of zero-day exploitation of the flaw to run malicious JavaScript code when opening specially crafted PDF documents through Adobe Reader. There is evidence suggesting that the vulnerability may have been under exploitation since December 2025.
"It appears that Adobe has determined the bug can lead to arbitrary code execution — not just an information leak," EXPMON said in a post on X. "This aligns with our findings and those of other security researchers over the last few days."
Update
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), on April 13, 2026, added CVE-2026-34621 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by April 27, 2026.
(The story was updated after publication to reflect the change in CVSS score from 9.6 to 8.6. In a revision to its advisory on April 12, 2026, Adobe said it adjusted the attack vector from Network (AV:N) to Local (AV:L).)
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
SHARE
Tweet
Share
Share
SHARE
Adobe, Application Security, cybersecurity, data protection, endpoint security, Malware, Threat Intelligence, Vulnerability, zero day
Trending News
OpenAI Launches GPT-5.4-Cyber with Expanded Access for Security Teams
Why Threat Intelligence Is the Missing Link in CTEM Prioritization and Validation
Why Security Leaders Are Layering Email Defense on Top of Secure Email Gateways
Cisco Patches Four Critical Identity Services, Webex Flaws Enabling Code Execution
Microsoft Issues Patches for SharePoint Zero-Day and 168 Other New Vulnerabilities
The Hidden Security Risks of Shadow AI in Enterprises
Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain
108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users
Mirax Android RAT Turns Devices into SOCKS5 Proxies, Reaching 220,000 via Meta Ads
Vercel Breach Tied to Context AI Hack Exposes Limited Customer Credentials
Apache ActiveMQ CVE-2026-34197 Added to CISA KEV Amid Active Exploitation
Your MTTD Looks Great. Your Post-Alert Gap Doesn't
Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover
n8n Webhooks Abused Since October 2025 to Deliver Malware via Phishing Emails
New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released
Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched
Popular Resources
Fix Rising Application Security Risks Driven by AI Development
Automate Alert Triage and Investigations Across Every Threat
Discover Key AI Security Gaps CISOs Face in 2026
How to Identify Risky Browser Extensions in Your Organization