Adobe has launched an emergency safety replace for Acrobat Reader to mend a vulnerability, tracked as CVE-2026-34621, that has been exploited in zero-day assaults since a minimum of December.
The flaw permits malicious PDF information to avoid sandbox restrictions and invoke privileged JavaScript APIs, doubtlessly resulting in arbitrary code execution. The exploit seen in assaults permits studying and stealing arbitrary information. No consumer interplay is needed past opening the malicious PDF.
In particular, the exploit abuses APIs like util.readFileIntoStream() to learn arbitrary native information and RSS.addFeed() to exfiltrate knowledge and fetch further attacker-controlled code.
The safety factor used to be came upon by means of Haifei Li, founding father of the EXPMON exploit detection gadget, after anyone submitted for research a PDF pattern named “yummy_adobe_exploit_uwu.pdf.”
Haifei Li says that anyone submitted the pattern to EXPMON on March 26, however it were despatched to VirusTotal 3 days sooner than, the place most effective 5 out of 64 safety distributors flagged it as malicious on the time.
The researcher determined to manually examine the problem after the exploit detection gadget activated its “detection intensive” function, an complex detection capacity Haifei Li in particular advanced for Adobe Reader, he says in a weblog put up remaining week.
Safety researcher Gi7w0rm noticed assaults within the wild that leveraged Russian-language paperwork with oil and gasoline trade lures.
Following the receipt of Li’s document, Adobe printed a safety bulletin over the weekend, assigning the vulnerability the CVE-2026-34621 tracker.
Even supposing the flaw used to be first of all rated important (9.6) with a community assault vector, Adobe due to this fact diminished the severity to eight.6 after converting the vector to native.
The seller indexed the next Home windows and macOS merchandise as impacted:
- Acrobat DC variations 26.001.21367 and previous (fastened in model 26.001.21411)
- Acrobat Reader DC variations 26.001.21367 and previous (fastened in model 26.001.21411)
- Acrobat 2024 variations 24.001.30356 and previous (fastened in model 24.001.30362 on Home windows, and model 24.001.30360 on Mac)
Adobe recommends that customers of the above instrument replace their packages thru ‘Assist > Test for Updates,’ which triggers an automatic replace.
However, customers might obtain an Acrobat Reader installer from Adobe’s respectable instrument portal.
No workarounds or mitigations have been indexed within the bulletin, so making use of the protection updates is the one beneficial motion.
Alternatively, customers must all the time be cautious of PDF information despatched from unsolicited assets and open them in sandboxed environments when suspicious.
Automatic pentesting proves the trail exists. BAS proves whether or not your controls forestall it. Maximum groups run one with out the opposite.
This whitepaper maps six validation surfaces, displays the place protection ends, and gives practitioners with 3 diagnostic questions for any device analysis.
