Adobe has released an emergency patch for a critical vulnerability in Acrobat Reader that is being actively exploited in the wild. The flaw, identified as CVE-2026-34621, allows attackers to execute arbitrary code on a target’s system by tricking them into opening a malicious PDF document.
Details of the Zero-Day Vulnerability
According to Adobe’s security bulletin, the vulnerability is described as an “Improperly Controlled Modification of Object Prototype Attributes” issue. The company has not released more in-depth technical details about the flaw.
Security researcher Haifei Li, who disclosed the exploit, noted that attackers have likely been leveraging the flaw for at least four months. Evidence of misuse dates back to November of last year. For more on vulnerability management, see our article on the Top 10 Signs a CVE Needs Clear Closure Criteria.
Emergency Patch and Recommendations
In an unusual move, Adobe released the security updates outside of its regular Patch Tuesday schedule, underscoring the severity of the threat. This is not the first time a major software company has had to release an emergency patch, as seen in our coverage of a previous Microsoft Patch Tuesday.
Li has urged all Adobe users to install the updates as soon as possible. The patched versions are Acrobat DC 26.001.21411, Acrobat Reader DC 26.001.21411, and Acrobat 2024 version 24.001.30362 for Windows and 24.001.30360 for macOS. Some experts also recommend uninstalling standalone PDF readers, as modern browsers have built-in capabilities to view PDF files, which can help reduce a system’s attack surface.
