Adobe patches actively exploited Acrobat Reader zero-day after months of PDF attacks

Adobe has confirmed that attackers have been exploiting a zero-day flaw in Acrobat Reader in the wild, and the company has now released a security update for Windows and macOS users. The vulnerability, tracked as CVE-2026-34621, can lead to arbitrary code execution when a victim opens a malicious PDF file.

That means the earlier warnings from researchers were not just a theoretical risk. Adobe’s own bulletin now says it is aware of active exploitation, which makes this one of the more urgent Reader updates in recent months.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

Users and IT teams should update immediately. Adobe says affected builds include Acrobat Reader DC 26.001.21367 and earlier, as well as Acrobat 2024 version 24.001.30356 and earlier, with patched versions now available.

Researchers say attacks began months before the patch

Before Adobe published its bulletin, researchers warned that the exploit had likely been active since at least December 2025. Sophos said the attacks used specially crafted PDF files with obfuscated JavaScript that executed when opened, allowing threat actors to access privileged Acrobat APIs, steal system and user data, and potentially set up follow-on attacks.

Separate reporting said the activity appeared targeted rather than broad and opportunistic. Analysts linked the lure documents to Russian-language themes tied to the oil and gas sector, suggesting the attackers were choosing victims carefully.

The flaw itself now has a formal description. NVD lists CVE-2026-34621 as an improper control of object prototype attributes issue, also known as prototype pollution, in Acrobat Reader. It says exploitation requires user interaction because the victim must open a malicious file.

What Adobe fixed and who needs to act now

Adobe’s bulletin gives the clearest update path. On the Continuous track, Acrobat DC and Acrobat Reader DC move to version 26.001.21411. On the Classic 2024 track, patched versions are Windows 24.001.30362 and macOS 24.001.30360.

The company says users can install the fix through Help > Check for Updates, let the product update automatically, or download the full installer from Adobe’s Reader Download Center. That advice applies to both individual users and managed enterprise environments.

Adobe has not published public technical detail beyond the CVE description and update guidance, but the combination of confirmed in-the-wild exploitation and a Priority 1 rating makes the message clear. This is not an update to delay.

Affected and patched versions

Source: Adobe APSB26-43.

What defenders should do now

• Update Acrobat Reader and Acrobat immediately across all endpoints.
• Treat unsolicited PDF attachments as high risk until patch coverage is complete.
• Scan email attachments and web downloads for suspicious PDFs before users open them.
• Review logs and network traffic for suspicious Reader-related activity if your organization handles targeted phishing attempts.

FAQ