Adobe patches exploited PDF zero‑day

Adobe has shipped an emergency fix for a zero-day in Acrobat and Reader after attackers spent months using booby-trapped PDF files against victims. (helpx.adobe.com) Adobe said bulletin APSB26-43 was published April 11, 2026 and covers CVE-2026-34621, a critical flaw that can lead to arbitrary code execution on Windows and macOS. The company said the affected builds include Acrobat DC and Reader DC 26.001.21367 and earlier, plus Acrobat 2024 version 24.001.30356 and earlier. (helpx.adobe.com) The patched versions are Acrobat DC and Reader DC 26.001.21411, plus Acrobat 2024 version 24.001.30362 on Windows and 24.001.30360 on macOS. Adobe gave the update a priority rating of 1, its highest urgency level for deployment. (helpx.adobe.com) A PDF exploit is malicious code hidden in a document file, and this one worked when a target opened the file in Adobe’s reader software. Adobe and the National Vulnerability Database said CVE-2026-34621 is a prototype pollution bug, a JavaScript-engine flaw that can let an attacker run code in the current user’s context. (nvd.nist.gov) (helpx.adobe.com) The flaw was not theoretical. Adobe said it was exploited in the wild, and the Cybersecurity and Infrastructure Security Agency added it to the Known Exploited Vulnerabilities catalog on April 13, 2026, giving federal civilian agencies until April 27 to apply mitigations. (helpx.adobe.com) (cisa.gov) Researchers say the campaign started well before the patch. Sophos said a researcher described active exploitation on April 7 and traced it back to at least December 2025, while TechCrunch reported another malicious sample appeared on VirusTotal in late November 2025. (sophos.com) (techcrunch.com) Haifei Li, the founder of EXPMON, said the malicious PDFs used obfuscated JavaScript and abused privileged Acrobat application programming interfaces, which are built-in functions that normally sit behind Adobe’s security controls. Sophos said the files could collect system data, steal information, and set up follow-on attacks including remote code execution. (justhaifei1.blogspot.com) (sophos.com) The reported targeting appears narrower than a mass spam campaign. Sophos said Russian-language lure documents referenced the Russian oil and gas sector, and Li said he could not recover additional payloads from the attackers’ servers to identify the full objective. (sophos.com) (techcrunch.com) Adobe revised one technical detail after release. In an April 12 update to the bulletin, the company changed the Common Vulnerability Scoring System attack vector from network to local, lowering the score from 9.6 to 8.6 because exploitation requires a user to open a malicious file. (helpx.adobe.com) For users and information technology teams, the immediate step is simple: update Acrobat and Reader now, because the exploit chain depended on opening a PDF and the patch closes the hole attackers were already using. (helpx.adobe.com)