Critical Zero‑Day in Adobe Acrobat Reader (CVE‑2026‑34621) Enables Arbitrary Code Execution
What It Is – Adobe disclosed a critical remote‑code‑execution flaw (CVE‑2026‑34621) in Acrobat Reader and Acrobat DC. The vulnerability is a prototype‑pollution bug in the PDF rendering engine that allows malicious JavaScript to execute arbitrary code.
Exploitability – Actively exploited in the wild for months; proof‑of‑concept PDFs have been observed delivering payloads. CVSS 9.6 (critical).
Affected Products – Adobe Acrobat DC (≤ 26.001.21367), Acrobat Reader DC (≤ 26.001.21367), Acrobat 2024 Classic (≤ 24.001.30356) on Windows and macOS.
TPRM Impact – Organizations that rely on Adobe Reader as a third‑party component (e.g., finance, healthcare, legal, SaaS platforms) face a supply‑chain risk: a compromised PDF can compromise any endpoint that opens it, potentially leading to data breach, ransomware drop, or lateral movement.
Recommended Actions –
- Deploy Adobe’s emergency update for all Acrobat/Reader installations immediately.
- Verify patch compliance across all managed endpoints and SaaS services that embed Adobe PDF viewers.
- Enforce strict PDF sanitization or sandboxing for inbound documents.
- Update incident‑response playbooks to include PDF‑based RCE scenarios.
- Monitor threat‑intel feeds for Indicators of Compromise (IOCs) linked to the exploited PDFs.
Source: SecurityAffairs – Adobe fixes actively exploited Acrobat Reader flaw CVE‑2026‑34621