Adobe patches active PDF zero‑day

A PDF is a document container, and Adobe Reader is the software many people use to open it. Adobe on April 11 released an emergency fix for CVE-2026-34621 after confirming attackers were already abusing the flaw through booby-trapped PDF files. (securityweek.com) The bug affects Adobe Acrobat and Reader on Windows and macOS and can let an attacker run code on a victim’s machine in the context of the logged-in user. Adobe’s fixed versions are 26.001.21411 for Acrobat DC and Reader DC, and 24.001.30362 for Windows and 24.001.30360 for macOS in Acrobat 2024. (securityweek.com) Adobe described the flaw as “prototype pollution,” a JavaScript problem where an attacker changes shared object properties so trusted code behaves in unsafe ways. In this case, the malformed PDF can trigger malicious JavaScript when the file is opened. (opencve.io, sophos.com) The attack still needs a person to open the file, which is why researchers and security outlets focused on phishing emails carrying fake invoices, reports, or other business documents. Adobe’s advisory says exploitation requires user interaction, and multiple reports said the campaign had been active since at least December 2025. (opencve.io, thehackernews.com) That combination makes the bug dangerous in ordinary office workflows, because PDF files are routinely exchanged by email and often treated as low-risk attachments. Security researcher Haifei Li said he found the exploit while analyzing a sophisticated sample uploaded to Expmon, his file-exploit detection system. (securityweek.com) Early reporting on the exploit chain said the first observed payload focused on collecting system and user data, not immediately dropping ransomware or wiping files. Researchers said later stages could still add remote code execution and a sandbox escape, which is why Adobe classified the issue as code execution in its advisory. (securityweek.com, ubergizmo.com) Adobe also revised the severity details on April 12, changing the attack vector from “Network” to “Local,” which dropped the Common Vulnerability Scoring System score from 9.6 to 8.6. The practical takeaway did not change: the victim still only has to open a malicious PDF for the exploit to start. (thehackernews.com, opencve.io) The timing fits a familiar pattern in document-borne attacks: a file format built for convenience becomes a delivery vehicle because users recognize it and security teams cannot block every attachment. Adobe’s own release notes say Acrobat updates are meant to protect systems against malicious attacks through PDF files. (adobe.com, sophos.com) For users and companies, the immediate step is simple: install the patched Reader or Acrobat build and treat unexpected PDF attachments the way they would treat an unknown program. This flaw turned an ordinary document open into a possible system compromise, and Adobe says the fix is already available. (securityweek.com, adobe.com)