GoKawiilAdobe has released an emergency security update for Acrobat Reader to fix a vulnerability, tracked as CVE-2026-34621, that has been exploited in zero-day attacks since at least December.
The flaw allows malicious PDF files to bypass sandbox restrictions and invoke privileged JavaScript APIs, potentially leading to arbitrary code execution. The exploit observed in attacks enables reading and stealing arbitrary files. No user interaction is required beyond opening the malicious PDF.
Specifically, the exploit abuses APIs like util.readFileIntoStream() to read arbitrary local files and RSS.addFeed() to exfiltrate data and fetch additional attacker-controlled code.
The security issue was discovered by Haifei Li, founder of the EXPMON exploit detection system, after someone submitted for analysis a PDF sample named "yummy_adobe_exploit_uwu.pdf."
Haifei Li says that someone submitted the sample to EXPMON on March 26, but it had been sent to VirusTotal three days before, where only five out of 64 security vendors flagged it as malicious at the time.
The researcher decided to manually investigate the issue after the exploit detection system activated its "detection in depth" feature, an advanced detection capability Haifei Li specifically developed for Adobe Reader, he says in a blog post last week.
Security researcher Gi7w0rm spotted attacks in the wild that leveraged Russian-language documents with oil and gas industry lures.
Following the receipt of Li’s report, Adobe published a security bulletin over the weekend, assigning the vulnerability the CVE-2026-34621 tracker.
Although the flaw was initially rated critical (9.6) with a network attack vector, Adobe subsequently lowered the severity to 8.6 after changing the vector to local.
The vendor listed the following Windows and macOS products as impacted:
... continue reading