Overview
- Adobe released fixes for CVE-2026-34621 in Acrobat and Reader on Windows and macOS, with patched builds including Acrobat/Reader DC 26.001.21411 and Acrobat 2024 24.001.30362 on Windows and 24.001.30360 on macOS.
- Adobe confirmed the flaw is being exploited in the wild and said successful attacks can execute code, after revising its advisory to a CVSS 8.6 score and shifting the attack vector to Local.
- Researcher Haifei Li of EXPMON uncovered the zero‑day after a malicious PDF was submitted to his system, with sample analysis indicating exploitation dating back to November–December 2025.
- The bug is prototype pollution in PDF JavaScript, which let crafted files call privileged Acrobat APIs such as util.readFileIntoStream to read local files and RSS.addFeed to exfiltrate data and fetch more payloads.
- Security teams are urged to patch now, deploy published IoCs, warn users not to open untrusted PDFs, and consider blocking traffic with the “Adobe Synchronizer” user agent, as investigators examine Russian‑language lures linked to oil and gas themes without firm attribution.