Adobe has issued an emergency out-of-band security patch for Acrobat and Acrobat Reader to address CVE-2026-34621, a zero-day vulnerability actively exploited since at least December. The flaw allows malicious PDF files to bypass sandbox restrictions and invoke privileged JavaScript APIs such as util.readFileIntoStream() and RSS.addFeed(), enabling arbitrary file theft and remote code execution with no user interaction beyond opening the file. The vulnerability was discovered by researcher Haifei Li via the EXPMON exploit detection system after a suspiciously named PDF sample was submitted. Attacks in the wild used Russian-language oil and gas industry lures. Adobe has released fixed versions for Acrobat DC, Acrobat Reader DC, and Acrobat 2024 on Windows and macOS. No workarounds exist; updating immediately is the only recommended mitigation.
Table of contents
Related Articles:Sort: