Adobe Acrobat security patch
Adobe released a patch for an Acrobat Reader vulnerability (CVE-2026-34621) that had been actively exploited since December 2025 and could permit remote code execution from malicious PDFs. The vendor update closes an attack vector tied to routine document exchanges in creative and professional workflows (thehackernews.com).
Adobe has shipped an emergency Acrobat and Reader update after confirming that attackers were already using a PDF flaw to run code on victims’ machines. (adobe.com) (forbes.com) The bug is tracked as CVE-2026-34621, and Adobe’s patched Continuous track build is 26.001.21411, released April 10, 2026. Adobe’s release notes show the prior vulnerable build was 26.001.21367. (adobe.com) A Hong Kong Computer Emergency Response Team bulletin, citing Adobe, said the flaw also affects Acrobat 2024 version 24.001.30356 and earlier. The fixed Acrobat 2024 builds are 24.001.30360 for macOS and 24.001.30362 for Windows. (hkcert.org) A PDF is supposed to behave like digital paper, but Acrobat also runs embedded code to handle forms, scripts, and interactive features. In this case, security researchers said a booby-trapped file could trigger the bug when a user simply opened the document. (forbes.com) The underlying weakness is a “prototype pollution” bug, a JavaScript flaw that lets attackers tamper with how a program handles data objects. HKCERT said successful exploitation could lead to arbitrary code execution in the context of the current user. (hkcert.org) The timing matters because researchers said the attacks had been active since at least December 2025, months before Adobe published a fix on April 10. Forbes reported Adobe told users to install the update within 72 hours. (forbes.com) Adobe’s update lands in software used across legal, finance, government, and creative teams, where PDFs move through inboxes and shared drives every day. Adobe’s own enterprise release notes say Acrobat updates are meant to protect systems from malicious attacks delivered through PDF files. (adobe.com) The United States Cybersecurity and Infrastructure Security Agency says its Known Exploited Vulnerabilities catalog is the government’s tracking list for bugs used in the wild and says organizations should use it to prioritize patching. As of April 13, 2026, the catalog page available through web search did not show CVE-2026-34621 in the visible entries. (cisa.gov) For users, the fix is simple: update Acrobat or Reader and stop treating PDFs as inert attachments. For companies, the larger job is faster patching on the machines that open the most outside documents. (adobe.com) (cisa.gov)
