CVE-2026-34621

Adobe has issued an emergency patch for CVE-2026-34621 (CVSS 8.6), a prototype pollution vulnerability in Acrobat Reader and Acrobat DC actively exploited in the wild since December 2025. Update to version 26.001.21411 or 24.001.30362 immediately on Windows and macOS.

Severity

high

CVSS Score

0 / 10

Fix Status

Patch available

Exploitation

Actively exploited

Published

Apr 12, 2026

Affected Products

›Acrobat DC and Acrobat Reader DC — versions 26.001.21367 and earlier (Windows and macOS) Acrobat 2024 — versions 24.001.30356 and earlier (Windows and macOS)

Key Facts

›Adobe has released an emergency patch for CVE-2026-34621, a prototype pollution vulnerability in Acrobat Reader and Acrobat DC that enables arbitrary code execution — confirming what security researchers suspected for months about the zero-day exploited via malicious PDF files.
›The flaw carries a CVSS score of 8.6 and affects Acrobat DC versions up to 26.001.21367 and Acrobat 2024 versions up to 24.001.30356 on both Windows and macOS — a patch is now available and must be applied immediately.
›Adobe confirmed it is actively aware of exploitation in the wild, with evidence from EXPMON suggesting attacks began as far back as December 2025 through fake invoice PDFs that silently executed obfuscated JavaScript to harvest sensitive data.
›Adobe revised its initial CVSS score downward from 9.6 to 8.6 on April 12, 2026, adjusting the attack vector from Network to Local — meaning the attacker requires the victim to open a malicious PDF file rather than being able to exploit the flaw remotely without user interaction.

Full Analysis

CVE-2026-34621: Adobe Releases Emergency Patch for Actively Exploited Acrobat Reader Flaw — Update Now

Deep-dive: technical breakdown, real-world impact, complete remediation steps, and expert context.

Read the full report →

← All threat reports All articles