Adobe Patches Acrobat Zero-Day Under Active Attack Since December

Adobe shipped emergency patches today for a critical Acrobat Reader vulnerability that attackers have been exploiting since at least December 2025. The four-month gap between initial exploitation and patch availability underscores persistent challenges in vulnerability disclosure timelines.

CVE-2026-34621 is a prototype pollution flaw affecting Acrobat Reader's JavaScript engine. Opening a malicious PDF triggers arbitrary code execution—no further user interaction required beyond opening the document.

What is Prototype Pollution?

Prototype pollution manipulates JavaScript's object inheritance mechanism. By poisoning the prototype chain, attackers inject malicious properties that propagate to all objects sharing that prototype. In Acrobat's case, this leads to code execution rather than the information leaks typically associated with this vulnerability class.

Security researcher Haifei Li, founder of EXPMON, discovered the flaw and disclosed details publicly before Adobe's patch was ready. Li noted that Adobe initially categorized the vulnerability as an information leak before confirming it enabled arbitrary code execution.

"This is worse than a typical prototype pollution," Li stated in his disclosure. The flaw bypasses Acrobat's sandbox protections entirely.

For readers unfamiliar with JavaScript-based attack vectors, our malware fundamentals guide covers common exploitation techniques and how they translate to real-world attacks.

Affected Versions

The vulnerability impacts both Windows and macOS installations:

Acrobat DC & Reader DC:

• Vulnerable: 26.001.21367 and earlier
• Fixed: 26.001.21411

Acrobat 2024:

• Windows: Fixed in 24.001.30362
• macOS: Fixed in 24.001.30360

Adobe's security bulletin initially assigned a CVSS score of 9.6, but adjusted it to 8.6 on April 12 after changing the attack vector classification from Network to Local. The practical impact remains the same—users who open malicious PDFs face code execution.

Active Exploitation Timeline

Evidence suggests exploitation began in December 2025, making this a four-month window of active attacks before patches became available:

• December 2025: First suspected exploitation in the wild
• Early April 2026: Li publicly discloses vulnerability details
• April 12, 2026: Adobe releases emergency patches

The extended exploitation window mirrors patterns we've seen with other document-based attacks. The Marimo RCE vulnerability was weaponized within 10 hours of disclosure, but CVE-2026-34621 demonstrates how some flaws remain exploited for months before patches arrive.

Why This Matters

PDF-based attacks remain effective because the file format is ubiquitous in business workflows. Finance teams, legal departments, and HR staff routinely open PDFs from external sources—exactly the behavior attackers exploit.

This vulnerability follows a familiar pattern we've tracked across multiple document readers. Microsoft Office vulnerabilities like CVE-2026-21509, which APT28 weaponized for their PRISMEX campaign, demonstrate how nation-state actors prioritize document-based initial access.

Adobe Acrobat's install base spans hundreds of millions of devices. Even with automatic updates enabled, enterprise deployments often lag behind consumer installations due to testing requirements.

Immediate Actions

1. Update immediately — Deploy patches through Adobe's update mechanism or download directly from Adobe's security portal
2. Monitor PDF sources — Treat unexpected PDF attachments with additional scrutiny, particularly from unfamiliar senders
3. Review Acrobat settings — Consider disabling JavaScript execution in Acrobat for environments where it's not required (Edit > Preferences > JavaScript > uncheck "Enable Acrobat JavaScript")
4. Check EDR telemetry — Look for anomalous child processes spawned by Acrobat executables dating back to December 2025

Organizations using centralized patch management should prioritize this update. The active exploitation status means attackers are actively leveraging this flaw—not waiting for proof-of-concept code.

Detection Indicators

Security teams should monitor for:

• Unusual child processes spawned by AcroRd32.exe or Acrobat.exe
• JavaScript execution within PDF documents that triggers external network connections
• PowerShell or cmd.exe processes with Acrobat as the parent

The prototype pollution technique means traditional sandbox escapes may not apply. Attackers can execute code within the Acrobat process context before attempting privilege escalation.

For deeper context on how document-based exploits fit into broader attack chains, our phishing examples guide covers how attackers use malicious attachments for initial access.