Adobe Releases Emergency Patch for Actively Exploited CVE-2026-34621 Vulnerability in Acrobat Reader

ADBE released an emergency security patch on April 11, 2026, addressing CVE-2026-34621 — a critical zero-day vulnerability in Acrobat Reader that had been actively exploited in the wild since at least December 2025. The flaw carries a CVSS score of 8.6 (Critical) with Adobe's highest Priority-1 classification, and enables arbitrary remote code execution via malicious JavaScript embedded in specially crafted PDF files. Affected versions include Acrobat and Reader 24.001.30356, 26.001.21367 and earlier across both Windows and macOS.

Security researcher Haifei Li of EXPMON disclosed the exploitation details, noting that threat actors had leveraged the vulnerability in targeted attacks for months before public discovery. The attack method exploits a prototype pollution flaw (CWE-1321), allowing attackers to execute arbitrary code the moment a victim opens a malicious PDF — an especially high-impact delivery vector given the ubiquity of PDF files in enterprise workflows, finance, legal, and government settings. Adobe issued the official patch as security bulletin APSB26-43 and revised the attack vector classification on April 12 following additional analysis.

The disclosure underscores the persistent risk profile of widely deployed document-processing software. With Acrobat Reader installed on hundreds of millions of devices globally, unpatched systems remain live targets for phishing campaigns distributing weaponized PDFs. ADBE users and enterprise IT teams are urged to apply the update immediately via Help > Check for Updates, or through their endpoint management platforms.