Adobe has issued an emergency security update for Acrobat and Reader to fix a zero-day vulnerability, tracked as CVE-2026-34621, which has been exploited in attacks since at least December.
The flaw allows malicious PDF files to bypass sandbox restrictions and invoke privileged JavaScript APIs. This can lead to arbitrary code execution, enabling attackers to read and steal local files.
No user interaction is required to trigger the exploit other than opening the malicious PDF. The attack specifically abuses APIs such as util.readFileIntoStream() to access local data and RSS.addFeed() to exfiltrate information or fetch additional malicious code.
Discovery and active exploitation
Security researcher Haifei Li, founder of the EXPMON exploit detection system, discovered the vulnerability after analyzing a suspicious PDF sample. Li noted that while the sample was submitted to his system on March 26, it had been flagged by only five out of 64 security vendors on VirusTotal three days earlier.
Li investigated the issue manually after his system's 'detection in depth' feature triggered an alert. He confirmed the exploit's ability to bypass standard security layers.
Other researchers have already observed the flaw being used in the wild. Security researcher Gi7w0rm reported spotting attacks utilizing Russian-language documents that used lures related to the oil and gas industry.
Adobe initially rated the vulnerability with a critical score of 9.6. However, the company later lowered the severity to 8.6 after reclassifying the attack vector from network to local.
The patch affects several versions of Adobe software on both Windows and macOS, including Acrobat DC and Acrobat 2024. Users should navigate to 'Help > Check for Updates' within the application to apply the fix.
Adobe has not listed any specific workarounds or mitigations in its security bulletin. The company recommends that users immediately update their software and remain cautious when opening PDFs from unknown or unsolicited sources.
