ADOBE patched an arbitrary code execution vulnerability in the latest versions of its Acrobat and Reader for Windows and macOS, nearly four months after an attacker first appeared to have begun exploiting it. The high-severity flaw, assigned as CVE-2026-34621, has a CVSS score of 8.6 and stems from a combination of improper input validation and unsafe handling of object attributes, with the score previously revised from 9.6.
Independent security researcher Haifei Li uncovered the vulnerability when analysing a maliciously crafted PDF uploaded to VirusTotal, where it was described as a highly-sophisticated exploit for a zero-day flaw that had been unpatched. Li’s findings indicated the malicious PDF could trigger CVE-2026-34621 simply by a user opening the file, without additional clicks or permissions.
Adobe acknowledged the issue in an April 11 advisory and confirmed it had been exploited in the wild, releasing updated versions and urging organisations to update. The malware payload implements reconnaissance and data exfiltration capabilities and could potentially enable remote code execution or sandbox escape with follow-on exploits, according to Li.
Regarding the user-facing risk, Malwarebytes advised organisations to patch promptly and exercise extra caution with PDFs or attachments from unknown sources. according to CVE-2026-34621's description on the NIST's National Vulnerability Database (NVD).