# Adobe Patches Actively Exploited Zero-Day in Acrobat Reader

_Monday, April 13, 2026 at 2:04 PM EDT · Cybersecurity · Latest · Tier 1 — Major_

![Adobe Patches Actively Exploited Zero-Day in Acrobat Reader — Primary](https://www.bleepstatic.com/content/hl-images/2026/04/13/Adobe.jpg)

Adobe has released an emergency security update for Acrobat Reader to address a critical vulnerability that has been exploited in zero-day attacks since at least December 2025.

The flaw, tracked as CVE-2026-34621, allows malicious PDF files to bypass sandbox restrictions and invoke privileged JavaScript APIs, potentially enabling arbitrary code execution. The vulnerability was initially rated critical with a severity score of 9.6, later adjusted to 8.6 after Adobe changed the attack vector classification from network to local.

Security researcher Haifei Li of EXPMON discovered the vulnerability after an exploit sample was submitted to the detection system on March 26. The sample had been uploaded to VirusTotal three days prior, where only five of 64 security vendors initially flagged it as malicious.

The exploit abuses specific JavaScript APIs including util.readFileIntoStream() to read arbitrary local files and RSS.addFeed() to exfiltrate data and fetch additional attacker-controlled code.

Adobe has released patches for multiple versions of Acrobat Reader on both Windows and macOS platforms. Users are advised to update immediately to protect against active exploitation.

The emergency fix comes amid heightened concerns about PDF-based attacks targeting enterprise environments, where Adobe Reader remains widely deployed.

## Sources

- [BleepingComputer](https://www.bleepingcomputer.com/news/security/adobe-rolls-out-emergency-fix-for-acrobat-reader-zero-day-flaw/)

---
Canonical: https://techandbusiness.org/newswire/QnO7x4BjxSH5gdfvmPXXkf
Retrieved: 2026-04-19T14:47:38.681Z
Publisher: Tech & Business (techandbusiness.org)