Key Findings

• Adobe released emergency patches for CVE-2026-34621, a critical vulnerability in Acrobat Reader actively exploited in the wild

• The flaw has a CVSS score of 8.6 and allows arbitrary code execution through prototype pollution in JavaScript

• Evidence suggests exploitation has been occurring since at least December 2025

• Security researcher Haifei Li discovered the vulnerability being used to deliver malicious JavaScript via crafted PDFs

• Affected versions include Acrobat DC and Reader DC up to 26.001.21367, and Acrobat 2024 up to 24.001.30356 on Windows and macOS

Background

Adobe Acrobat Reader is one of the most widely used applications for viewing and interacting with PDF documents globally. The software's ubiquity makes it an attractive target for attackers seeking to compromise systems through seemingly innocuous files. This vulnerability represents a significant security risk because users often trust PDF documents and may not suspect malicious code execution occurring in the background.

Prototype Pollution Vulnerability

The vulnerability stems from improperly controlled modification of object prototype attributes, commonly known as prototype pollution. In JavaScript-based applications, objects inherit properties from shared prototypes like Object.prototype. When an application fails to properly validate user input, attackers can inject malicious values into these prototypes, affecting all objects that inherit from them. This particular flaw in Adobe Reader allowed attackers to execute arbitrary code by exploiting how the application handles object properties.

Discovery and Active Exploitation

Security researcher Haifei Li, founder of EXPMON, first identified the vulnerability through an advanced detection system that flagged a suspicious PDF on March 26, 2026. Despite having low antivirus detection rates (only 13 out of 64 vendors detected it), the system's manual review process uncovered the sophisticated exploit. Adobe subsequently confirmed the flaw was being actively exploited in the wild with evidence suggesting the attacks began months earlier.

Attack Mechanism

The malicious PDF exploit functions as an initial attack vector that abuses the unpatched Reader flaw to execute privileged APIs even on fully updated systems. The exploit uses the util.readFileIntoStream() function to read local files and harvest sensitive data. It then calls RSS.addFeed() to transmit stolen information to remote servers and receive additional malicious JavaScript payloads. This two-stage approach allows attackers to profile potential victims and determine whether to proceed with more damaging attacks like remote code execution or sandbox escapes.

Affected Products and Patched Versions

The vulnerability impacts multiple Adobe products across Windows and macOS platforms. Acrobat DC and Reader DC users running versions 26.001.21367 and earlier need to update to 26.001.21411. Users of Acrobat 2024 should update to version 24.001.30362 on Windows or 24.001.30360 on macOS. All users of these products should prioritize applying these patches immediately.

Researcher Recognition

Adobe credited Haifei Li for responsibly disclosing this vulnerability. Li's work with EXPMON demonstrates the importance of advanced threat detection systems that can identify zero-day exploits missed by traditional antivirus solutions, highlighting the value of expert analysis in uncovering sophisticated attack campaigns.

Sources

• https://securityaffairs.com/190697/security/adobe-fixes-actively-exploited-acrobat-reader-flaw-cve-2026-34621.html

• https://thehackernews.com/2026/04/adobe-patches-actively-exploited.html

• https://www.cypro.se/2026/04/12/adobe-patches-actively-exploited-acrobat-reader-flaw-cve-2026-34621/

• https://x.com/shah_sheikh/status/2043208912061768085

• https://www.linkedin.com/posts/cybercureme_adobe-patches-actively-exploited-acrobat-activity-7448974600094281728-uJQi

• https://www.cyberkendra.com/2026/04/adobe-acrobat-zero-day-cve-2026-34621.html