ADOBE on Saturday released emergency patches for a critical Acrobat and Reader zero-day that has been exploited in the wild for several months, tracked as CVE-2026-34621 with a CVSS of 9.6. According to Haifei Li, the flaw stems from improperly controlled modifications to prototype attributes and can be exploited to execute arbitrary code, with exploitation confirmed in the wild.
Acrobat and Reader for Windows and macOS are affected, with patches included in version 26.001.21411 of Acrobat DC and Acrobat Reader DC, and versions 24.001.30362 and 24.001.30360 of Acrobat 2024. Based on the analysis of an exploit sample uploaded to VirusTotal, exploitation began as early as November 2025, and Li indicated that an APT is likely behind the attacks, noting that the malicious PDFs used Russian-language lures and referenced events in Russia’s oil and gas sector.