Adobe has released emergency updates to fix a critical security flaw in Acrobat software that has come under active exploitation in the wild. The vulnerability was assigned the CVE identifier CVE-2026-34621, and it carries a CVSS score of 8.6 out of 10.0. Successful exploitation of the flaw could allow an attacker to run malicious code on affected installations. This critical vulnerability affecting users of Adobe Acrobat and Reader on both Windows and macOS platforms, is already being exploited by attackers; possibly since December of 2025.

The vulnerability is being described as a case of prototype pollution that could result in arbitrary code execution. Prototype pollution refers to a JavaScript security vulnerability that permits an attacker to manipulate an application’s objects and properties. Even though PDF’s were originally designed to be static documents, today PDFs include JavaScript to allow for interactivity, automation, and advanced form capabilities. Support for JavaScript (specifically PDF-JS) allows PDF’s to behave more like interactive applications or web pages. Who would have thought that JavaScript could be exploited?

The use of PDF documents in cybersecurity threats is far from uncommon. For example, they represent a the initial or primary “malicious document” attack surface for social engineering attacks. This vulnerability, which is a zero-day exploit targeting Adobe Reader itself, is a much more serious threat.

On April 7, Haifei Li, who is best known for developing a sandbox-based exploit-detection platform called EXPMON, warned that attackers are exploiting a “zero-day/unpatched vulnerability in Adobe Reader.” Then went on to say that “it allows it to execute privileged Acrobat Application Programming Interfaces, and it is confirmed to work on the latest version of Adobe Reader.”

It is highly recommended that all installations of Adobe Acrobat be updated immediately since this vulnerability impacts the following products and versions for both Windows and macOS:

• Acrobat DC versions 26.001.21367 and earlier (Fixed in 26.001.21411)

• Acrobat Reader DC versions 26.001.21367 and earlier (Fixed in 26.001.21411)

• Acrobat 2024 versions 24.001.30356 and earlier (Fixed in 24.001.30362 for Windows and 24.001.30360 for macOS)

And remember, only patch with official updates and install with official installer executables.