Adobe patches exploited zero‑day

Adobe pushed an emergency fix on April 11 for a newly disclosed Acrobat and Reader flaw that attackers were already using through booby-trapped PDF files. (thehackernews.com) The bug is tracked as CVE-2026-34621, and Adobe said successful exploitation could let an attacker run code on a target machine in the context of the current user. Security researchers and multiple outlets described the issue as active in the wild before the patch shipped. (securityweek.com) Adobe’s update covers Acrobat DC and Acrobat Reader DC on Windows and macOS, moving those products to version 26.001.21411. Acrobat 2024 also got fixes, to version 24.001.30362 on Windows and 24.001.30360 on macOS. (securityweek.com) A PDF reader is supposed to open documents, not let a document take over the computer reading it. In this case, researchers said a malicious PDF could abuse Adobe’s built-in JavaScript support, the scripting feature used for forms and interactive files, to break expected security boundaries. (malwarebytes.com) Adobe classified the flaw as “prototype pollution,” a JavaScript weakness in which attacker-controlled data changes how software objects behave behind the scenes. Adobe and other write-ups said that manipulation could end in arbitrary code execution after a user opened a crafted file. (socradar.io) Researchers said the attacks had been running since at least December 2025, months before Adobe published a fix on April 11, 2026. Sophos said lures tied to the Russian oil and gas sector suggested the early activity was targeted rather than mass spam. (sophos.com) Adobe assigned the patch a Priority 1 rating, its highest urgency tier, which the company uses for issues with a higher risk of active exploitation. Several security reports said administrators should treat the update as an immediate deployment rather than a routine monthly patch. (lilting.ch) The United States Cybersecurity and Infrastructure Security Agency says its Known Exploited Vulnerabilities catalog is the government’s list of flaws being used in real attacks, and defenders use it to prioritize patching. As of April 13, 2026, public CISA catalog pages available through search did not show CVE-2026-34621 listed yet. (cisa.gov) For companies that rely on PDF workflows, the practical risk is simple: a file that looks like an invoice, contract, or report can become the entry point for a compromise. Adobe’s fix closes that window, but only after users and administrators install it. (helpnetsecurity.com)