Adobe has launched emergency updates to repair a important security flaw in Acrobat Reader that has come below lively exploitation within the wild.
The vulnerability, assigned the CVE identifier CVE-2026-34621, carries a CVSS rating of 9.6 out of 10.0. Profitable exploitation of the flaw may permit an attacker to run malicious code on affected installations.
It has been described as a case of prototype air pollution that would lead to arbitrary code execution. Prototype air pollution refers to a JavaScript security vulnerability that allows an attacker to control an software’sobjects and properties.
The problem impacts the next merchandise and variations for each Home windows and macOS –
- Acrobat DC variations 26.001.21367 and earlier (Fastened in 26.001.21411)
- Acrobat Reader DC variations 26.001.21367 and earlier (Fastened in 26.001.21411)
- Acrobat 2024 variations 24.001.30356 and earlier (Fastened in 24.001.30362 for Home windows and 24.001.30360 for macOS)
Adobe acknowledged that it is “conscious of CVE-2026-34621 being exploited within the wild.”
The event comes days after security researcher and EXPMON founder Haifei Li disclosed particulars of zero-day exploitation of the flaw to run malicious JavaScript code when opening specifically crafted PDF paperwork via Adobe Reader. There may be proof suggesting that the vulnerability could have been below exploitation since December 2025.
“It seems that Adobe has decided the bug can result in arbitrary code execution — not simply an data leak,” EXPMON stated in a put up on X. “This aligns with our findings and people of different security researchers over the previous couple of days.”
