Adobe has released emergency patches for a critical zero-day vulnerability in Acrobat and Reader, identified as CVE-2026-34621. This vulnerability, which carries a CVSS score of 9.6, has been actively exploited in the wild for several months. The flaw arises from improperly controlled modifications to prototype attributes and can be leveraged to execute arbitrary code. Affected versions include Acrobat DC and Acrobat Reader DC for Windows and macOS. The patches are incorporated in version 26.001.21411 of Acrobat DC and Acrobat Reader DC, as well as versions 24.001.30362 and 24.001.30360 of Acrobat 2024. Adobe's advisory confirms the exploitation of this vulnerability, underscoring the urgency for users to update their systems promptly. Haifei Li, a reputable researcher with experience at Fortinet, McAfee, Microsoft, and Check Point, reported the flaw. Li discovered the zero-day while examining a sophisticated PDF exploit on his sandbox system, Expmon. This exploit was initially designed to gather information, but later stages could potentially involve remote code execution and a sandbox escape. Analysis of a sample from VirusTotal suggests that the exploitation began as early as November 2025. It is likely linked to an advanced persistent threat, with malicious PDFs using Russian-language lures related to Russia's oil and gas sector. Although Adobe has updated the CVSS score to 8.6, indicating a high severity level due to the requirement of local file opening, the urgency to apply the patch remains critical. Security professionals are advised to implement the patch immediately to mitigate potential risks.