Adobe has released an emergency security update for Acrobat and Reader to fix a zero-day vulnerability (CVE-2026-34621) that has been actively exploited since December 2025, allowing attackers to bypass sandbox restrictions and execute arbitrary code through malicious PDF files.
Adobe has released an emergency security update for Acrobat and Reader to address a critical zero-day vulnerability that has been actively exploited in the wild since at least December 2025. The flaw, tracked as CVE-2026-34621, allows malicious PDF files to bypass sandbox restrictions and invoke privileged JavaScript APIs, potentially leading to arbitrary code execution on affected systems.
Vulnerability Details and Exploitation
The vulnerability enables attackers to read and steal arbitrary files from victim systems without requiring any user interaction beyond opening the malicious PDF document. According to security researcher Haifei Li, founder of the EXPMON exploit detection system, the exploit specifically abuses APIs like util.readFileIntoStream() to read arbitrary local files and RSS.addFeed() to exfiltrate data and fetch additional attacker-controlled code.
Li discovered the vulnerability after someone submitted a PDF sample named "yummy_adobe_exploit_uwu.pdf" to the EXPMON system on March 26, 2026. Interestingly, the same sample had been uploaded to VirusTotal three days earlier, where only five out of 64 security vendors had flagged it as malicious at the time. Li decided to manually investigate the issue after the exploit detection system activated its "detection in depth" feature, an advanced detection capability he specifically developed for Adobe Reader.
Security researcher Gi7w0rm observed attacks in the wild that leveraged Russian-language documents with oil and gas industry lures, suggesting targeted campaigns against specific sectors.
Affected Products and Update Instructions
Following Li's report, Adobe published a security bulletin over the weekend, initially rating the vulnerability as critical with a severity score of 9.6. The vendor later lowered the severity to 8.6 after changing the attack vector from network to local.
The following products are affected:
- Acrobat DC versions 26.001.21367 and earlier (fixed in version 26.001.21411)
- Acrobat Reader DC versions 26.001.21367 and earlier (fixed in version 26.001.21411)
- Acrobat 2024 versions 24.001.30356 and earlier (fixed in version 24.001.30362 on Windows, and version 24.001.30360 on Mac)
Adobe recommends that users of the above software update their applications through 'Help > Check for Updates,' which triggers an automated update process. Alternatively, users may download an Acrobat Reader installer from Adobe's official software portal.
No Workarounds Available
According to Adobe's security bulletin, no workarounds or mitigations were listed, making applying the security updates the only recommended action for users. The company emphasized that the vulnerability has been exploited in real-world attacks, underscoring the urgency of patching affected systems.
Protection Recommendations
While applying the security updates is the primary defense, users should always exercise caution when handling PDF files from unsolicited sources. Opening suspicious PDF documents in sandboxed environments can provide an additional layer of protection against potential exploitation attempts.
This incident highlights the ongoing challenges in securing widely-used document formats and the importance of maintaining up-to-date security software. The fact that this zero-day was exploited for months before discovery demonstrates the sophisticated nature of modern cyber threats and the need for continuous vigilance in cybersecurity practices.
The emergency patch comes amid a wave of actively exploited vulnerabilities across various platforms, including critical flaws in Marimo, Flowise, Fortinet FortiClient EMS, and Langflow, as reported in recent security bulletins.
Comments
Please log in or register to join the discussion