Adobe PDF zero‑day patched

Adobe has shipped an emergency fix for a Reader and Acrobat flaw that attackers were already using to take over computers with malicious PDF files. (helpx.adobe.com) The bug is tracked as CVE-2026-34621, and Adobe published bulletin APSB26-43 on April 11, 2026 with a priority-1 rating, its most urgent patch tier for enterprise deployment. Adobe said the flaw affects Windows and macOS versions of Acrobat DC, Acrobat Reader DC, and Acrobat 2024. (helpx.adobe.com) Adobe said successful exploitation could lead to arbitrary code execution, meaning a booby-trapped PDF can make the computer run attacker code when the file is opened. The company lists fixed versions as 26.001.21411 for the continuous Acrobat and Reader track, and 24.001.30362 for Windows and 24.001.30360 for macOS on Acrobat 2024. (helpx.adobe.com) Portable Document Format files, or PDFs, are meant to package text, images, and forms so they open the same way on different devices. Reader and Acrobat also support embedded JavaScript for form logic and document actions, and researchers said this campaign abused that feature to run hidden code. (sophos.com) Haifei Li of EXPMON disclosed the attacks on April 7, 2026 and said the exploit had been active since at least December 2025. Sophos said the malicious PDFs used obfuscated JavaScript to call privileged Acrobat application programming interfaces and steal user and system data before possible follow-on attacks. (justhaifei1.blogspot.com, sophos.com) Adobe classifies the underlying bug as an improper modification of object prototype attributes, a software design flaw often called prototype pollution. In plain terms, that lets malicious code tamper with shared program behavior and turn trusted document actions into a path for code execution. (helpx.adobe.com) Adobe originally scored the flaw at 9.6 on the Common Vulnerability Scoring System, then revised it to 8.6 on April 12 after changing the attack vector from network to local. The company still kept the patch at priority 1 and said it was aware of exploitation in the wild. (helpx.adobe.com) Researchers described the operation as selective rather than mass spam. Sophos said the lure documents used Russian-language themes tied to the oil and gas sector, and The Register reported the PDFs were used to profile targets before deciding who received a second-stage payload. (sophos.com, theregister.com) For security teams, the immediate job is patching Reader and Acrobat, then checking mail gateways, endpoint logs, and sandbox detections for suspicious PDF attachments dating back to December 2025. Adobe’s own guidance says end users can update through Help > Check for Updates, while managed environments can push the fix through standard software deployment tools. (helpx.adobe.com, sophos.com) The exploit started with a file format built to be universal, then turned that ubiquity into an attack path. Adobe’s patch closes the known hole, but any organization that opened suspicious PDFs over the past four months still has to treat those systems as potentially exposed. (helpx.adobe.com, sophos.com)