Adobe Acrobat and Reader Arbitrary Code Execution Vulnerability Exploited in the Wild (CVE-2026-34621)
Adobe released a security update to address an actively exploited vulnerability impacting Adobe Acrobat and Reader. Tracked as CVE-2026-34621, the vulnerability may allow an attacker to run malicious code on affected installations.
Haifei Li from EXPMON discovered and reported the vulnerability to Adobe.
Adobe Acrobat Reader is a free, widely used application for viewing, printing, signing, sharing, and annotating PDF files on desktop and mobile devices. It serves as the standard, trusted PDF viewer, allowing users to fill out forms and collaborate on documents, while premium subscriptions are needed for advanced editing features.
Vulnerability Details
The vulnerability originates from a pollution prototype flaw that could lead to arbitrary code execution. Prototype pollution is a JavaScript security vulnerability that allows an attacker to manipulate an application’s objects and properties.
Haifei Li described the technical details of the vulnerability in a blog post. The company states that they called the “util.readFileIntoStream()” API. The API allows attackers to read arbitrary files (accessible by the sandboxed Reader process) on the local system. In this way, it can collect a wide range of information from the local system and steal local file data.
The “RSS.addFeed()” API that contains util.readFileIntoStream()” API is called to serve two purposes:
- Sending the information collected from the local system to a remote server.
- Receiving additional JavaScript code to be executed.
This mechanism allows the threat actor to collect user information, steal local data, perform advanced “fingerprinting”, and launch future attacks. If the target meets the attacker’s conditions, the attacker may deliver additional exploits to achieve RCE or SBX.
Affected versions
| Product | Track | Affected Versions | Platform |
| Acrobat DC | Continuous | 26.001.21367 and earlier | Windows & macOS |
| Acrobat Reader DC | Continuous | 26.001.21367 and earlier | Windows & macOS |
| Acrobat 2024 | Classic 2024 |
24.001.30356 and earlier | Windows & macOS |
Mitigation
Adobe released the following security updates to patch the vulnerability:
| Product | Track | Updated Versions | Platform |
| Acrobat DC | Continuous | 26.001.21411 | Windows & macOS |
| Acrobat Reader DC | Continuous | 26.001.21411 | Windows & macOS |
| Acrobat 2024 |
Classic 2024 | Windows: 24.001.30362
Mac: 24.001.30360 |
Windows & macOS |
For more information, please refer to the Adobe Security Advisory (APSB26-43).
Qualys Detection
Qualys customers can scan their devices with QID 387005 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://helpx.adobe.com/security/products/acrobat/apsb26-43.html
https://justhaifei1.blogspot.com/2026/04/expmon-detected-sophisticated-zero-day-adobe-reader.html
Comments are closed.