Adobe issues emergency Reader patch
Adobe released an emergency patch for an Acrobat Reader zero‑day that was being exploited in the wild, and security outlets advised immediate updating to avoid risk. The flaw could be triggered by simply opening a malicious PDF, prompting urgent fixes from Adobe. (helpnetsecurity.com)
Adobe pushed an emergency update on April 11 for a zero-day in Acrobat and Reader that the company said was already being exploited. (helpx.adobe.com) The bug is tracked as CVE-2026-34621, and Adobe said successful attacks could let an attacker run code on a victim’s machine in the context of the current user. The flaw affects both Windows and macOS versions of Acrobat and Reader. (helpx.adobe.com) The National Vulnerability Database describes the issue as “prototype pollution,” a JavaScript bug class where tampering with shared object settings can change how a program behaves. In Acrobat Reader, that can turn a booby-trapped Portable Document Format file into a path for code execution. (nvd.nist.gov) Adobe’s bulletin lists affected builds as Acrobat 2024 versions 24.001.30356 and earlier, and Acrobat and Reader DC versions 26.001.21367 and earlier. The patched versions are 24.001.30362 for Windows, 24.001.30360 for macOS, and 26.001.21411 for both Acrobat DC and Reader DC. (helpx.adobe.com) The United States Cybersecurity and Infrastructure Security Agency added CVE-2026-34621 to its Known Exploited Vulnerabilities catalog on April 13. That catalog is reserved for bugs with confirmed real-world abuse, and federal civilian agencies are required to fix listed flaws by the due date CISA sets. (cisa.gov) Security outlets reported that exploitation appears to date back months before the patch. BleepingComputer said attacks had been seen since at least December 2025, while Help Net Security reported activity since November 2025. (bleepingcomputer.com) (helpnetsecurity.com) Adobe labeled the bulletin “Priority 1,” its highest urgency tier for updates tied to exploited vulnerabilities. The company did not publicly identify the attackers or describe specific targets in the bulletin. (helpx.adobe.com) For users and information technology teams, the practical risk is simple: a malicious Portable Document Format file can arrive by email, chat, or download, and opening it may be enough to trigger the exploit. Adobe’s fix is already out, and CISA’s catalog entry means patching has moved from routine maintenance to active incident prevention. (nvd.nist.gov) (cisa.gov)
