Adobe patches exploited PDF flaw

Adobe has shipped an emergency fix for a Reader and Acrobat flaw that attackers were already using through booby-trapped PDF files. (adobe.com) The bug is tracked as CVE-2026-34621, and Adobe published bulletin APSB26-43 on April 11 with a Priority 1 rating, its highest patch urgency tier. Adobe said the flaw affects Windows and macOS versions of Acrobat DC, Acrobat Reader DC, and Acrobat 2024. (adobe.com) Adobe said successful exploitation could lead to arbitrary code execution, meaning a PDF could make the victim’s computer run attacker-supplied code. The company listed fixed versions as 26.001.21411 for Acrobat DC and Reader DC, 24.001.30362 for Acrobat 2024 on Windows, and 24.001.30360 for Acrobat 2024 on macOS. (adobe.com) A PDF is supposed to be a document container, like a sealed envelope for text and images. In this case, researchers said a crafted PDF could run hidden JavaScript, use privileged Acrobat functions, read local files, and pull in more code from an attacker-controlled server after the file was opened. (sophos.com, bleepingcomputer.com) Adobe classified the underlying weakness as prototype pollution, a programming flaw that lets an attacker tamper with how software objects behave. The National Vulnerability Database says the issue can lead to code execution in the context of the current user, and Adobe revised its severity score to 8.6 from 9.6 after changing the attack vector on April 12. (adobe.com, nist.gov) The public trail suggests the attacks were not brand-new. Sophos said the exploitation had been active since at least December 2025, and researcher Haifei Li of EXPMON wrote on April 8 that the sample he analyzed worked against the latest Adobe Reader with no extra clicks beyond opening the PDF. (sophos.com, blogspot.com) Li said the malicious document acted first as a profiling tool, collecting information from the target machine before follow-on exploitation. Sophos said some observed lures used Russian-language oil and gas themes, which points to targeted campaigns rather than broad spam. (blogspot.com, sophos.com) United States civilian agencies now have a federal deadline attached to the bug. The Cybersecurity and Infrastructure Security Agency added CVE-2026-34621 to its Known Exploited Vulnerabilities catalog on April 13, a list used to force patching across federal networks. (cisa.gov, cyber.gc.ca) Adobe credited Li with reporting the flaw and said users can patch through Help, then Check for Updates, while managed environments can push the fix through enterprise tools. For anyone still treating PDFs as inert files, this patch says otherwise. (adobe.com)