Adobe patches exploited Acrobat zero‑day

Adobe has shipped an emergency Acrobat and Reader update after confirming attackers were already using a PDF bug against Windows and macOS users. (helpx.adobe.com) The flaw is tracked as CVE-2026-34621 in bulletin APSB26-43, which Adobe published on April 11, 2026. Adobe marked the update Priority 1, its top urgency tier for product updates. (nvd.nist.gov) (helpx.adobe.com) A zero-day is a software flaw attackers exploit before a fix is widely installed. In this case, Adobe said a malicious PDF can trigger arbitrary code execution, which means the attacker’s code can run on the victim’s machine in the current user’s context. (nvd.nist.gov) (tenable.com) The bug sits in Acrobat’s JavaScript handling and is classified as prototype pollution, a type of coding flaw in which untrusted data changes how objects behave. Adobe and security databases tie that weakness to CWE-1321, “Improperly Controlled Modification of Object Prototype Attributes.” (nvd.nist.gov) (cyberpress.org) The affected builds include Acrobat and Reader Continuous Track 26.001.21367 and earlier, plus Acrobat 2024 Classic Track 24.001.30356 and earlier. Adobe’s patched versions are 26.001.21411 for Continuous Track, 24.001.30362 for Acrobat 2024 on Windows, and 24.001.30360 for Acrobat 2024 on macOS. (cyberpress.org) (thecyberexpress.com) Researchers said the attacks had been running since at least December 2025, months before Adobe released the fix. Sophos said the malicious files used obfuscated JavaScript, and one researcher linked the lures to Russian-language documents aimed at the oil and gas sector. (sophos.com) (thehackernews.com) That timeline puts Acrobat in a familiar place for defenders: email attachments and downloaded PDFs remain one of the easiest ways to get code onto a workstation. Sophos advised organizations to scan PDF attachments automatically, block suspicious files, train users to avoid unsolicited documents, and update systems once Adobe’s patch became available. (sophos.com) Adobe revised the bulletin on April 12, 2026, and outside trackers noted that the scoring changed after the attack vector was adjusted from network to local. The update did not change Adobe’s core warning that the flaw was being exploited in the wild. (thehackernews.com) (hoploninfosec.com) As of April 13, 2026, the United States Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog page was live, but this Adobe flaw did not appear in the visible entries returned here. Adobe’s advice was simpler: install the patched build on affected endpoints. (cisa.gov) (helpx.adobe.com)