Pierluigi Paganini
April 12, 2026
Adobe released emergency updates to address a critical vulnerability, tracked as CVE-2026-34621 (CVSS score of 8.6), in Adobe Acrobat Reader, which is being actively exploited. The flaw could allow attackers to execute malicious code on affected systems, making prompt patching essential to reduce the risk of compromise.
“Adobe has released a security update for Adobe Acrobat and Reader for Windows and macOS. This update addresses a critical vulnerability. Successful exploitation could lead to arbitrary code execution.” reads the advisory. “Adobe is aware of CVE-2026-34621 being exploited in the wild.”
The vulnerability is an improperly controlled modification of object prototype attributes (‘Prototype Pollution’) that can lead to arbitrary code execution.
Improperly Controlled Modification of Object Prototype Attributes (often called prototype pollution) is a vulnerability mainly in JavaScript where an attacker can modify the base object prototype that many other objects inherit from. In JavaScript, objects can inherit properties from a shared prototype (like Object.prototype). If an application doesn’t properly validate input, an attacker can inject values into this prototype.
Below are the impacted versions:
Adobe acknowledged Haifei Li, founder of EXPMON, for reporting this flaw.
Li recently revealed that a zero-day flaw was exploited to run malicious JavaScript via crafted PDFs in Adobe Acrobat Reader. According to the expert, threat actors used the Adobe Reader zero-day for months to deliver a sophisticated PDF exploit.
On March 26, a suspicious PDF was submitted to EXPMON and flagged by its advanced “detection in depth” feature, despite low antivirus detection (13/64 on VirusTotal).
The system marked it for manual review, highlighting potential hidden threats. EXPMON identifies exploits through automated alerts, analyst inspection of logs and indicators, and large-scale data analysis. This case shows how advanced detection can uncover sophisticated zero-day activity that traditional tools may miss, though it requires expert analysis to confirm.
The sample analyzed by the Li works as an initial exploit that abuses an unpatched Adobe Reader flaw to run privileged APIs on fully updated systems.
It uses “util.readFileIntoStream()” to read local files and collect sensitive data. Then it calls “RSS.addFeed()” to send stolen data to a remote server and receive more malicious JavaScript.
This lets attackers profile victims, steal information, and decide whether to launch further attacks, including remote code execution or sandbox escape if the target meets specific conditions.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Adobe)
