Adobe rolls out emergency fix for Acrobat, Reader zero-day flaw

Adobe has released an emergency security update for Acrobat Reader to fix a vulnerability, tracked as CVE-2026-34621, that has been exploited in zero-day attacks since at least December.

The flaw allows malicious PDF files to bypass sandbox restrictions and invoke privileged JavaScript APIs, potentially leading to arbitrary code execution. The exploit observed in attacks enables reading and stealing arbitrary files. No user interaction is required beyond opening the malicious PDF.

Specifically, the exploit abuses APIs like util.readFileIntoStream() to read arbitrary local files and RSS.addFeed() to exfiltrate data and fetch additional attacker-controlled code.

The security issue was discovered by Haifei Li, founder of the EXPMON exploit detection system, after someone submitted for analysis a PDF sample named “yummy_adobe_exploit_uwu.pdf.”

Haifei Li says that someone submitted the sample to EXPMON on March 26, but it had been sent to VirusTotal three days before, where only five out of 64 security vendors flagged it as malicious at the time.

The researcher decided to manually investigate the issue after the exploit detection system activated its “detection in depth” feature, an advanced detection capability Haifei Li specifically developed for Adobe Reader, he says in a blog post last week.

Security researcher Gi7w0rm spotted attacks in the wild that leveraged Russian-language documents with oil and gas industry lures.

Following the receipt of Li’s report, Adobe published a security bulletin over the weekend, assigning the vulnerability the CVE-2026-34621 tracker.

Although the flaw was initially rated critical (9.6) with a network attack vector, Adobe subsequently lowered the severity to 8.6 after changing the vector to local.

The vendor listed the following Windows and macOS products as impacted:

• Acrobat DC versions 26.001.21367 and earlier (fixed in version 26.001.21411)
• Acrobat Reader DC versions 26.001.21367 and earlier (fixed in version 26.001.21411)
• Acrobat 2024 versions 24.001.30356 and earlier (fixed in version 24.001.30362 on Windows, and version 24.001.30360 on Mac)

Adobe recommends that users of the above software update their applications through ‘Help > Check for Updates,’ which triggers an automated update.

Alternatively, users may download an Acrobat Reader installer from Adobe’s official software portal.

No workarounds or mitigations were listed in the bulletin, so applying the security updates is the only recommended action.

However, users should always be wary of PDF files sent from unsolicited sources and open them in sandboxed environments when suspicious.

Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.

This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.

Get Your Copy Now