Adobe has released an emergency security update for Adobe Acrobat and Reader on Windows and macOS, addressing a critical vulnerability that is already being exploited in the wild.
Published on April 11, 2026, under bulletin APSB26-43, the update carries Adobe’s highest Priority Rating of 1, indicating active exploitation and the need for immediate patching.
The flaw, tracked as CVE-2026-34621, is classified as an Improperly Controlled Modification of Object Prototype Attributes, commonly known as Prototype Pollution (CWE-1321).
Critical Acrobat Vulnerability
Successful exploitation of this vulnerability can result in arbitrary code execution, allowing attackers to take control of an affected system.
It is worth noting that Adobe revised the CVSS score on April 12, 2026, adjusting the Attack Vector from Network (AV: N) to Local (AV:L), which lowered the overall score from 9.6 to 8.6.
The vulnerability was discovered and responsibly disclosed by Haifei Li of EXPMON, a platform known for detecting novel exploit techniques targeting document readers and browser-based attack surfaces.
Affected Products and Versions
The following versions are confirmed vulnerable:
- Acrobat DC (Continuous Track): Version 26.001.21367 and earlier — Windows & macOS
- Acrobat Reader DC (Continuous Track): Version 26.001.21367 and earlier — Windows & macOS
- Acrobat 2024 (Classic 2024 Track): Version 24.001.30356 and earlier — Windows & macOS
Adobe has confirmed it is aware of CVE-2026-34621 being exploited in the wild, making this a zero-day at the time of disclosure. Organizations relying on any of the above products should treat this update as urgent.
Patched Versions
Adobe has issued the following fixed versions:
- Acrobat DC / Acrobat Reader DC (Continuous): Version 26.001.21411 for both Windows and macOS
- Acrobat 2024 (Classic 2024): Version 24.001.30362 (Windows) and 24.001.30360 (macOS)
End users can apply the patch immediately by selecting Help > Check for Updates in the application. Acrobat and Reader also support automatic background updates without user intervention.
Recommendations
Given that active exploitation of CVE-2026-34621 has been confirmed, security teams should prioritize this patch across all endpoints running vulnerable versions of Acrobat or Reader.
Organizations should also monitor for suspicious process spawning from Acrobat-related processes, which may indicate exploitation attempts. Adobe’s bulletin APSB26-43 serves as the authoritative reference for this update.
No Comment! Be the first one.