Adobe has released an emergency security update to fix a critical vulnerability in its Acrobat and Reader software that has been actively exploited in the wild. The flaw, tracked as CVE-2026-34621, carries a high severity score of 8.6 and could allow attackers to execute malicious code on affected systems.
The vulnerability is linked to a prototype pollution issue within the software’s JavaScript engine, enabling threat actors to manipulate application behavior and potentially gain unauthorized control over a system. Successful exploitation can occur when a user opens a specially crafted PDF file, making it a significant risk given the widespread use of PDF documents in both personal and enterprise environments.
Adobe has acknowledged that the flaw has been actively exploited, with evidence suggesting attacks may have been ongoing since at least December 2025. Security researchers have observed that malicious PDF files were being used as attack vectors to trigger the vulnerability and execute harmful code.
The issue affects multiple versions of Acrobat and Reader across both Windows and macOS platforms, including Acrobat DC and Acrobat Reader DC versions prior to 26.001.21411, as well as Acrobat 2024 versions before the latest patched releases.
Experts warn that such vulnerabilities are particularly dangerous because they require minimal user interaction—often just opening an infected document—making them effective tools for targeted attacks and large-scale exploitation campaigns.
Adobe has urged users to update their software immediately to the latest versions to mitigate risks. The incident highlights the ongoing threat posed by zero-day vulnerabilities and reinforces the importance of timely patching and proactive cybersecurity measures in protecting systems from evolving attacks.
