Adobe has released an emergency security update to fix a critical vulnerability in Adobe Acrobat Reader that is already being exploited by attackers. The flaw, tracked as CVE-2026-34621, has received a CVSS score of 9.6, making it a high-risk issue that users should not ignore.
The vulnerability is described as a prototype pollution issue. It allows attackers to manipulate how the application handles objects and data. If exploited successfully, it can lead to arbitrary code execution. This means a malicious PDF file could run harmful code on a user’s system just by being opened.
Read: Best PDF Reader Apps for Android and iOS
Security researchers say the attack works by embedding specially crafted JavaScript inside PDF documents.
The issue impacts multiple versions of Acrobat and Reader across both Windows and macOS.
Adobe has released patches for:
- Acrobat Reader DC and Acrobat DC (fixed in version 26.001.21411)
- Acrobat 2024 (fixed in newer builds for both Windows and macOS)
Users running older versions are at risk and should update immediately.
Adobe has confirmed that the vulnerability is being actively exploited in real-world attacks.
Research from EXPMON founder Haifei Li suggests that the flaw may have been used since December 2025. Initial findings indicated that attackers were using the bug to execute malicious JavaScript through PDF files.
Further analysis now shows the impact is more serious, with the ability to execute code on affected systems.
PDF files are widely used and often trusted, which makes this type of vulnerability more dangerous. Attackers can use simple tactics like email attachments or downloads to trick users into opening infected files. Once opened, the system could be compromised without any visible warning.
If you are using Adobe Acrobat or Reader, updating the software should be your top priority.
