ADOBE has released emergency updates for Acrobat Reader to fix a critical flaw described as CVE-2026-34621 that is being exploited in the wild, with a CVSS score of 8.6 out of 10.0. The vulnerability is described as prototype pollution that could allow arbitrary code execution when opening specially crafted PDFs, impacting Acrobat DC and Reader DC versions 26.001.21367 and earlier, as well as Acrobat 2024 versions 24.001.30356 and earlier.
According to the advisory, Adobe is aware of CVE-2026-34621 being exploited in the wild, and the company revised the CVSS score and attack vector after publication, moving from Network (AV:N) to Local (AV:L). The security news cites security researcher Haifei Li of EXPMON, who disclosed zero‑day exploitation details and noted that exploitation may have begun in December 2025, with EXPMON claiming alignment with other researchers’ findings.
The article also notes that the development follows Li’s disclosures about running malicious JavaScript code when opening crafted PDFs through Adobe Reader.