Overview
- Adobe released emergency updates to fix CVE-2026-34621 in Acrobat and Reader after confirming active exploitation of the flaw in the wild.
- The vulnerability is a JavaScript prototype‑pollution issue that lets a single opened PDF read local files, exfiltrate data, and fetch additional attacker code that may enable sandbox escape or code execution.
- Adobe revised its advisory by lowering the CVSS score to 8.6 and clarifying the attack vector is Local, which means the attack works only when a user opens a malicious file.
- Updates are available as Acrobat/Reader DC 26.001.21411 and Acrobat 2024 24.001.30362 on Windows and 24.001.30360 on macOS.
- Researchers traced exploitation to late 2025 and spotted Russian‑language oil and gas lures, and they urge urgent patching, careful handling of unknown PDFs, hunting with published IoCs, and blocking traffic using the “Adobe Synchronizer” user‑agent where possible.