Adobe Patches Critical Acrobat Reader Zero-Day CVE-2026-34621 Under Active Exploitation

Bychirag

Adobe has issued an emergency out-of-band security update for Acrobat Reader and Acrobat DC following the discovery of CVE-2026-34621, a critical zero-day vulnerability under active exploitation. The flaw allows remote code execution when a victim opens a specially crafted PDF file.

Vulnerability Details

CVE-2026-34621 is a use-after-free vulnerability in Adobe Acrobat’s JavaScript engine. When a user opens a malicious PDF, the embedded JavaScript triggers a memory corruption condition that gives attackers full code execution in the context of the logged-in user.

  • CVSS Score: 9.1 (Critical)
  • Attack Vector: Local (user must open the PDF)
  • Privileges Required: None
  • User Interaction: Required (open file)
  • Affected versions: Acrobat DC 24.x prior to 24.004.21465, Acrobat Reader DC 24.x prior to 24.004.21465

How Attackers Are Using It

Researchers at Mandiant report that threat actors are distributing the malicious PDFs via:

  • Phishing emails disguised as invoices, contracts, and shipping notices
  • Compromised file-sharing links in Microsoft Teams and Slack
  • Malvertising campaigns targeting business users searching for PDF conversion tools

Updating Adobe Acrobat

# Check current version
# Help > About Adobe Acrobat

# Update via GUI
Help > Check for Updates

# Enterprise deployment (SCCM/Intune)
# Download latest installer from Adobe Admin Console
# Target version: 24.004.21465 or later

# Verify update via registry (Windows)
reg query "HKLM\SOFTWARE\Adobe\Adobe Acrobat\DC\Installer" /v InstalledVersion

Immediate Mitigations if You Cannot Patch

  • Disable JavaScript in Acrobat: Edit > Preferences > JavaScript > uncheck “Enable Acrobat JavaScript”
  • Enable Protected Mode: Edit > Preferences > Security (Enhanced) > Enable Protected Mode at startup
  • Open PDFs in a browser’s built-in viewer (Chrome PDF viewer, Firefox) as a temporary alternative
  • Consider using an alternative PDF reader (Sumatra PDF, Evince) which do not execute JavaScript

The SudoFlare Takeaway

PDF-based attacks remain one of the most effective initial access vectors because PDFs are universally trusted. Disable JavaScript in Acrobat Reader right now — the vast majority of legitimate PDFs do not require it. Enterprise security teams should add PDF attachment scanning with sandboxing to their email gateways.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *