Adobe Patches Actively Exploited Acrobat Reader Zero-Day (CVE-2026-34621) — Update Now

Summary

Adobe has released emergency security patches for a critical zero-day vulnerability in Acrobat Reader that has been actively exploited in the wild for months. Tracked as CVE-2026-34621, the flaw is a prototype pollution issue that allows attackers to execute arbitrary code when a victim opens a specially crafted PDF file.

The vulnerability carries a CVSS score of 8.6 (initially rated 9.6 before the attack vector was reclassified from Network to Local). Exploitation has been traced back as far as November 2025, with attacks leveraging malicious PDFs containing obfuscated JavaScript that accesses privileged Acrobat APIs for file exfiltration and payload delivery. Targeted campaigns using Russian-language lures related to the oil and gas sector suggest APT-level threat actors are behind the attacks.

Affected versions include Acrobat DC and Reader DC 26.001.21367 and earlier, as well as Acrobat 2024 versions 24.001.30356 and earlier. Adobe urges all users to update immediately via Help → Check for Updates.

Sources

• The Hacker News — Adobe Patches Actively Exploited Reader Zero-Day
• SecurityWeek — Adobe Patches Reader Zero-Day Exploited for Months
• NVD — CVE-2026-34621

Commentary

The fact that this zero-day was exploited for roughly five months before Adobe patched it is a sobering reminder of how long sophisticated threat actors can operate under the radar. Prototype pollution in a PDF reader is a particularly nasty vector — PDFs are universally trusted documents that get shared, emailed, and opened without a second thought across every industry.

The APT connection through Russian-language lures targeting the energy sector also underscores how document-based exploits remain a preferred tool for state-aligned threat groups. If you run Acrobat or Reader in any capacity, patch immediately. If you can disable JavaScript in Reader without breaking your workflows, do that too — it eliminates this entire attack class.