Adobe has released an emergency update to fix a critical security flaw in Acrobat Reader that is being exploited in the wild.
This vulnerability has been assigned the CVE identifier CVE-2026-34621 and has a CVSS score of 9.6 out of 10.0. Successful exploitation of this flaw could allow an attacker to execute malicious code on an affected installation.
This is described as a case of prototype pollution that can lead to the execution of arbitrary code. Prototype pollution refers to a security vulnerability in JavaScript that allows an attacker to manipulate objects and properties of an application.
This issue affects the following products and versions of both Windows and macOS:
Acrobat DC versions 26.001.21367 and earlier (fixed in 26.001.21411) Acrobat Reader DC versions 26.001.21367 and earlier (fixed in 26.001.21411) Acrobat 2024 versions 24.001.30356 and earlier (fixed in 26.001.21411) Windows 24.001.30362 for macOS and 24.001.30360 for macOS)
Adobe acknowledged that it is “aware that CVE-2026-34621 is being exploited in the wild.”
The development comes days after security researcher and EXPMON founder Haifei Li revealed details of a zero-day exploit that allows malicious JavaScript code to run when a specially crafted PDF document is opened in Adobe Reader. There is evidence to suggest that this vulnerability may have been exploited since December 2025.
“Adobe appears to have determined that this bug could lead to arbitrary code execution rather than just information disclosure,” EXPMON said in a post on X. “This is consistent with our and other security researchers’ findings over the past few days.”
Source link
