Adobe issues emergency Reader fix
Adobe released an out‑of‑band emergency patch for an Acrobat Reader zero‑day (CVE‑2026‑34621) that was exploited in the wild. Vendors described the flaw as enabling code execution and pushed immediate updates after reports of active attacks. (helpnetsecurity.com) (cyberpress.org)
Adobe shipped an emergency update on April 11 for Acrobat and Acrobat Reader after confirming attackers were already exploiting CVE-2026-34621 in the wild. (helpx.adobe.com) The bug affects both Windows and macOS versions of Acrobat Reader and Acrobat. Adobe’s bulletin says successful exploitation can lead to arbitrary code execution, meaning a booby-trapped file can make the victim’s computer run an attacker’s instructions. (helpx.adobe.com) (nvd.nist.gov) Adobe assigned the flaw a “Priority 1” rating in bulletin APSB26-43, its highest urgency tier, and patched Acrobat Reader and Acrobat DC 26.001.21367 and earlier with version 26.001.21411. Acrobat 2024 on Windows moved from 24.001.30356 to 24.001.30362, while macOS moved to 24.001.30360. (helpx.adobe.com) (thecyberexpress.com) The underlying weakness is a “prototype pollution” bug, a JavaScript flaw that lets hostile code tamper with the default properties other parts of a program rely on. Adobe and the National Vulnerability Database both classify CVE-2026-34621 as that kind of defect. (helpx.adobe.com) (nvd.nist.gov) That matters because PDF readers routinely process JavaScript embedded inside documents, and security researchers said this flaw was being triggered through malicious PDF files. Sophos wrote on April 7 that the attacks had been active since at least December 2025. (sophos.com) (bleepingcomputer.com) Adobe’s advisory does not name the attackers or describe the targets. Outside reporting from Sophos said the lures appeared tied to Russian-language documents and the Russian oil and gas sector, suggesting a targeted campaign rather than a broad spam run. (helpx.adobe.com) (sophos.com) The vulnerability was reported to Adobe by Haifei Li of EXPMON, according to Adobe’s bulletin and Qualys. The National Vulnerability Database entry lists affected versions as 24.001.30356 and 26.001.21367 and earlier. (helpx.adobe.com) (threatprotect.qualys.com) (nvd.nist.gov) The practical advice is simple: update Acrobat and Reader immediately and treat unsolicited PDF attachments as risky until patched systems are confirmed. Adobe says users who leave default settings on should receive the update automatically. (helpx.adobe.com) (heise.de)
