Adobe has released critical patches for a zero-day vulnerability in Acrobat and Reader that has been actively exploited for several months. This vulnerability, identified as CVE-2026-34621, received an initial CVSS score of 9.6 due to its ability to allow arbitrary code execution through improperly controlled modifications to prototype attributes. However, Adobe later revised this score to 8.6 after determining that the exploit requires a file to be opened locally. The vulnerability affects both Windows and macOS systems, specifically impacting versions 26.001.21411 of Acrobat DC and Acrobat Reader DC, as well as versions 24.001.30362 and 24.001.30360 of Acrobat 2024. Haifei Li, a cybersecurity researcher with a track record at leading firms such as Fortinet and Microsoft, discovered the flaw while analyzing a sophisticated PDF exploit. Li's analysis suggested that exploitation began as early as November 2025 and indicated the involvement of an advanced persistent threat. The malicious PDFs used in the attacks reportedly contained Russian-language lures. Li and other researchers have shared technical details and indicators of compromise to aid in defense efforts. Adobe emphasizes the importance of applying the patch promptly to mitigate potential risks, despite the lowered severity rating.
Urgent Patch Released for Long-Exploited Adobe Reader Vulnerability
Adobe patched a Reader zero-day (CV E-2026-34621) after it was exploited in the wild for months; keep systems updated.


