Active Adobe Reader zero‑day

A portable document format file is supposed to be a sealed envelope: text and images go in, and the reader app just shows them on screen. Adobe Acrobat Reader breaks that seal by supporting JavaScript, a scripting feature that lets a PDF behave more like a tiny program than a static page. (sophos.com) That matters because the new attack does not need a fake button click or a downloaded attachment inside the document. Researchers say opening the booby-trapped PDF in Adobe Reader is enough to trigger the exploit on fully updated systems. (pcworld.com) The flaw was first described publicly on April 7, 2026 by Haifei Li, the founder of the exploit-monitoring platform EXPMON. Li said attackers have been abusing an unpatched Adobe Reader vulnerability since at least December 2025. (securityweek.com) The malicious files do not appear to smash a computer immediately like ransomware. Sophos says the PDFs first fingerprint the machine, which means they quietly collect details about the system, the user, and nearby files so the attacker can decide whether the target is worth a second-stage attack. (sophos.com) Researchers who examined the samples say the documents use heavily obfuscated JavaScript, which is code deliberately scrambled to look like nonsense to defenders while still running normally inside Reader. That hidden code can reach privileged Acrobat application programming interfaces, which are built-in functions that should be tightly controlled because they can touch local data. (bleepingcomputer.com) Early samples reportedly used Russian-language lures tied to oil and gas topics, which points to a targeted campaign instead of a mass spam blast. The Register and Sophos both say the bait documents look designed to profile specific victims before a larger compromise. (theregister.com) On April 11, 2026, Adobe assigned the bug CVE-2026-34621, which is the catalog number security teams use to track one specific vulnerability across vendors and tools. Public CVE records describe it as a prototype pollution issue in Acrobat Reader that can lead to arbitrary code execution in the current user’s context. (opencve.io) Those CVE records list affected Acrobat Reader versions as 24.001.30356 and 26.001.21367 and earlier, and they score the bug at 9.6 out of 10 on the Common Vulnerability Scoring System. That score reflects a flaw that can be reached over a network, needs no attacker privileges, and can hit confidentiality, integrity, and availability all at once. (github.com) Adobe has now confirmed that CVE-2026-34621 is being exploited in the wild on both Windows and macOS. Forbes reports Adobe told users to install the security update within 72 hours, which means this moved from researcher warning to vendor-confirmed emergency on April 11. (forbes.com) The old lesson is back: a PDF is still one of the easiest ways to get code onto a target because invoices, contracts, shipping notices, and court filings all arrive as documents every day. When the file format doubles as a scripting container, “just opening the attachment” stops being a harmless action. (csoonline.com)