ADOBE has released emergency updates for Adobe Acrobat and Reader to fix a critical vulnerability, CVE-2026-34621, which is being actively exploited in the wild and carries a CVSS score of 8.6. The flaw involves an improperly controlled modification of object prototype attributes (prototype pollution) that can allow attackers to execute arbitrary code on affected systems.
The update covers Windows and macOS across Acrobat DC Continuous (26.001.21367 and earlier), Acrobat Reader DC Continuous (26.001.21367 and earlier), and Acrobat 2024 Classic (24.001.30356 and earlier). According to Adobe, exploitation could lead to arbitrary code execution if a crafted PDF is opened. The article notes that Haifei Li, founder of EXPMON, reported the flaw and that EXPMON described how a zero-day flaw was used for months to deliver malicious JavaScript via PDFs.
The piece also references a March 26 submission to EXPMON and cites detection and analysis by EXPMON as part of the case demonstrating advanced zero-day activity.