Adobe has released a critical security patch to address a zero-day vulnerability in its Acrobat and Reader software that had been actively exploited by hackers for several months. The flaw, tracked as CVE-2026-34621, allowed attackers to install malware on a victim’s device simply by tricking them into opening a specially crafted PDF file.
The vulnerability affected widely used products including Acrobat DC, Reader DC, and Acrobat 2024 across both Windows and macOS systems. Security researchers found evidence that the exploit had been circulating since late 2025, giving attackers a prolonged window to target users before a fix was released.
The flaw is linked to a prototype pollution issue in the software’s JavaScript engine, which could be abused to execute arbitrary code on compromised systems. This made it particularly dangerous, as attackers could gain deep access to devices, steal sensitive information, or deploy additional malicious payloads.
Adobe confirmed that the vulnerability was being actively exploited in real-world attacks, classifying it as a zero-day—meaning it was used by hackers before the company had a chance to patch it. The scale of the attack remains unclear, but given the widespread use of PDF software globally, the potential impact is considered significant.
The company has now issued updated versions of its software to mitigate the risk and has urged users to install the latest patches immediately. Security experts emphasize that timely updates are critical, as simply opening a malicious PDF could have been enough to compromise a system.
This incident highlights the persistent threat posed by zero-day vulnerabilities in widely used software and underscores the importance of proactive patching and cybersecurity awareness, especially in environments where PDF documents are routinely exchanged.
