Adobe patches Acrobat and Reader flaws that can lead to code execution and file reads

Adobe has released security updates for Acrobat and Reader on Windows and macOS to fix two vulnerabilities that can let attackers execute code or read local files if a user opens a malicious PDF. Adobe says it has no evidence of in-the-wild exploitation for the issues covered by this bulletin.

The bugs affect both the Continuous and Classic 2024 tracks. Impacted versions include Acrobat DC and Acrobat Reader DC 26.001.21411 and earlier on Windows and macOS, plus Acrobat 2024 24.001.30362 and earlier on Windows and 24.001.30360 and earlier on macOS.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

Adobe has assigned these updates Priority 2, which means admins should patch promptly even though the company has not seen active attacks. The fixed versions are 26.001.21431 for the Continuous track and 24.001.30365 for Acrobat 2024.

What the two vulnerabilities do

The more serious issue is CVE-2026-34622, a prototype pollution flaw that Adobe says can lead to arbitrary code execution in the context of the current user. Adobe rates it critical with a CVSS base score of 8.6.

The second bug, CVE-2026-34626, also involves prototype pollution, but its impact is limited to arbitrary file system read. Adobe rates that one important with a CVSS base score of 6.3.

Both flaws require user interaction. In practical terms, an attacker would need to convince a target to open a crafted PDF, which keeps phishing and document lures at the center of the threat model for Acrobat and Reader bugs like these.

Affected versions and fixed releases

Adobe’s bulletin makes clear that both Windows and macOS users need to update. Enterprise release notes for the April 14 builds also show the new installers and patch packages for managed environments.

One notable detail in Adobe’s bulletin is that the CVSS scoring for CVE-2026-34622 changed before publication. Adobe says it adjusted the attack vector from Network to Local on April 12, which lowered the overall score from 9.6 to 8.6.

That change matters because it narrows how the bug gets abused. The flaw still presents a serious risk, but the revised score better reflects the fact that the attack depends on local interaction through a malicious file rather than a purely remote exploit path.

What users and IT teams should do now

• Open Acrobat or Reader and go to Help > Check for Updates
• Let automatic updates install the April 14 patched builds
• Download the latest installer from Adobe if manual updating fails
• Push the update through SCCM, SCUP, GPO, Apple Remote Desktop, or SSH in managed fleets
• Treat unexpected PDF attachments and download prompts with extra caution until all endpoints are patched

Adobe says end users can patch manually through the in-app updater, while enterprise admins should rely on their normal deployment tools. That includes AIP-GPO, bootstrapper, SCUP or SCCM on Windows, and Apple Remote Desktop or SSH on macOS.

Because Acrobat and Reader often sit at the edge of email and document workflows, even flaws that require a user to open a file can become high-value targets. A single successful lure can hand attackers code execution or expose sensitive local content.

The good news is that Adobe has already published the fixes and says no active exploitation is known for these two CVEs. That gives defenders a clear window to patch before attackers can build reliable campaigns around the new disclosure.

FAQ