Actively exploited prototype pollution flaw in Adobe Acrobat Reader patched as CVE-2026-34621
Summary
Hide ▲
Show ▼
A critical prototype pollution vulnerability in Adobe Acrobat Reader, tracked as CVE-2026-34621, has been patched following active in-the-wild exploitation. The flaw permits arbitrary code execution via malicious PDF documents containing crafted JavaScript, enabling attackers to compromise vulnerable systems. Exploitation has been observed since at least December 2025, with reports indicating abuse of the bug in targeted attacks leveraging Russian-language lures in the oil and gas sector. Adobe released emergency updates on April 12, 2026, after researchers publicly disclosed exploitation details and technical impact. The bug bypasses sandbox restrictions by invoking privileged APIs such as util.readFileIntoStream() and RSS.addFeed(), allowing reading of arbitrary local files and data exfiltration without further user interaction.
Timeline
-
12.04.2026 07:25 2 articles · 2d ago
Emergency patch issued for CVE-2026-34621 following active exploitation
Adobe released emergency updates on April 12, 2026, addressing CVE-2026-34621 in Acrobat Reader and Acrobat DC/2024, after researchers reported active in-the-wild exploitation dating to December 2025. The patched versions mitigate prototype pollution leading to arbitrary code execution via malicious PDFs containing crafted JavaScript. Additional details include sandbox bypass via privileged JavaScript APIs (util.readFileIntoStream(), RSS.addFeed()), observed Russian-language lures targeting oil and gas sector, discovery by Haifei Li of EXPMON after sample "yummy_adobe_exploit_uwu.pdf" triggered detection on March 26 (originally uploaded to VirusTotal on March 23 with only five detections), and subsequent CVSS re-rating from 9.6 to 8.6 due to vector change from network to local.
Show sources
- Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621 — thehackernews.com — 12.04.2026 07:25
- Adobe rolls out emergency fix for Acrobat, Reader zero-day flaw — www.bleepingcomputer.com — 13.04.2026 18:37
Information Snippets
-
CVE-2026-34621 is a prototype pollution vulnerability in Adobe Acrobat Reader and Acrobat DC affecting Windows and macOS systems.
First reported: 12.04.2026 07:252 sources, 2 articlesShow sources
- Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621 — thehackernews.com — 12.04.2026 07:25
- Adobe rolls out emergency fix for Acrobat, Reader zero-day flaw — www.bleepingcomputer.com — 13.04.2026 18:37
-
Successful exploitation allows arbitrary code execution through malicious PDF documents leveraging crafted JavaScript payloads.
First reported: 12.04.2026 07:252 sources, 2 articlesShow sources
- Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621 — thehackernews.com — 12.04.2026 07:25
- Adobe rolls out emergency fix for Acrobat, Reader zero-day flaw — www.bleepingcomputer.com — 13.04.2026 18:37
-
Adobe patched the flaw in Acrobat DC 26.001.21411, Acrobat Reader DC 26.001.21411, Acrobat 2024 24.001.30362 (Windows) / 24.001.30360 (macOS), and earlier versions.
First reported: 12.04.2026 07:252 sources, 2 articlesShow sources
- Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621 — thehackernews.com — 12.04.2026 07:25
- Adobe rolls out emergency fix for Acrobat, Reader zero-day flaw — www.bleepingcomputer.com — 13.04.2026 18:37
-
Exploitation has been detected in the wild since at least December 2025, with public disclosure of active abuse occurring in early April 2026.
First reported: 12.04.2026 07:252 sources, 2 articlesShow sources
- Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621 — thehackernews.com — 12.04.2026 07:25
- Adobe rolls out emergency fix for Acrobat, Reader zero-day flaw — www.bleepingcomputer.com — 13.04.2026 18:37
-
The vulnerability bypasses sandbox restrictions in Adobe Acrobat Reader and invokes privileged JavaScript APIs such as util.readFileIntoStream() and RSS.addFeed().
First reported: 13.04.2026 18:371 source, 1 articleShow sources
- Adobe rolls out emergency fix for Acrobat, Reader zero-day flaw — www.bleepingcomputer.com — 13.04.2026 18:37
-
Exploited samples include Russian-language PDF documents luring targets in the oil and gas industry.
First reported: 13.04.2026 18:371 source, 1 articleShow sources
- Adobe rolls out emergency fix for Acrobat, Reader zero-day flaw — www.bleepingcomputer.com — 13.04.2026 18:37
-
The exploit was first submitted to VirusTotal on March 23, 2026, when only five of 64 engines detected it as malicious.
First reported: 13.04.2026 18:371 source, 1 articleShow sources
- Adobe rolls out emergency fix for Acrobat, Reader zero-day flaw — www.bleepingcomputer.com — 13.04.2026 18:37
-
The exploit enables reading arbitrary local files and exfiltrating data without user interaction beyond opening the malicious PDF.
First reported: 13.04.2026 18:371 source, 1 articleShow sources
- Adobe rolls out emergency fix for Acrobat, Reader zero-day flaw — www.bleepingcomputer.com — 13.04.2026 18:37
-
CVE-2026-34621’s severity was re-rated from 9.6 (network) to 8.6 (local) after Adobe reassessed the attack vector.
First reported: 13.04.2026 18:371 source, 1 articleShow sources
- Adobe rolls out emergency fix for Acrobat, Reader zero-day flaw — www.bleepingcomputer.com — 13.04.2026 18:37
-
The flaw was discovered by Haifei Li of EXPMON after their detection system flagged a sample named "yummy_adobe_exploit_uwu.pdf".
First reported: 13.04.2026 18:371 source, 1 articleShow sources
- Adobe rolls out emergency fix for Acrobat, Reader zero-day flaw — www.bleepingcomputer.com — 13.04.2026 18:37
-
Initial patch versions listed are Acrobat DC 26.001.21367 and earlier (fixed in 26.001.21411), Acrobat Reader DC 26.001.21367 and earlier (fixed in 26.001.21411), Acrobat 2024 24.001.30356 and earlier (fixed in 24.001.30362 Windows / 24.001.30360 macOS).
First reported: 13.04.2026 18:371 source, 1 articleShow sources
- Adobe rolls out emergency fix for Acrobat, Reader zero-day flaw — www.bleepingcomputer.com — 13.04.2026 18:37
Similar Happenings
Active exploitation of Adobe Acrobat Reader zero-day via crafted PDFs since December 2025
A zero-day vulnerability in Adobe Acrobat Reader has been actively exploited since at least December 2025 using maliciously crafted PDF documents. Threat actors leverage a sophisticated, fingerprinting-style exploit targeting an unpatched flaw, enabling data theft and potential remote code execution or sandbox escape on compromised systems without requiring user interaction beyond opening the PDF. The attacks appear to be selectively targeting users, with phishing lures referencing Russian-language content related to the oil and gas industry.
Critical Vulnerabilities Patched in SAP, Microsoft, Adobe, and HPE Products
Multiple vendors, including SAP, Microsoft, Adobe, and Hewlett Packard Enterprise (HPE), have released security updates to address critical vulnerabilities that could lead to arbitrary code execution, privilege escalation, and authentication bypass. These flaws affect a wide range of enterprise software and network devices, posing significant risks to organizations. SAP patched two critical vulnerabilities: CVE-2019-17571 (CVSS 9.8) in SAP Quotation Management Insurance and CVE-2026-27685 (CVSS 9.1) in SAP NetWeaver Enterprise Portal Administration. Microsoft released patches for 84 vulnerabilities, including remote code execution flaws. Adobe addressed 80 vulnerabilities, with four critical flaws in Adobe Commerce and Magento Open Source. HPE fixed five vulnerabilities in Aruba Networking AOS-CX, including a severe authentication bypass flaw (CVE-2026-23813, CVSS 9.8). The patches highlight the ongoing need for vigilance in addressing vulnerabilities across enterprise software and network devices.
Active Exploitation of Critical Adobe AEM Forms Misconfiguration
A critical misconfiguration flaw in Adobe Experience Manager (AEM) Forms on JEE versions 6.5.23.0 and earlier is under active exploitation. The flaw, CVE-2025-54253, allows arbitrary code execution via an exposed servlet. Adobe released a patch in August 2025. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies must apply the necessary fixes by November 5, 2025. The flaw was discovered by Adam Kues and Shubham Shah of Searchlight Cyber, who disclosed it to Adobe on April 28, 2025. The flaw is caused by an exposed /adminui/debug servlet that evaluates user-supplied OGNL expressions as Java code without authentication or input validation. This enables attackers to execute arbitrary system commands with a single crafted HTTP request. A proof-of-concept exploit is publicly available.