A high-severity zero-day vulnerability in Adobe Acrobat and Reader is under active exploitation, according to CISA, and is prompting an emergency out-of-band patch for widely deployed PDF software. Adobe issued a patch over the weekend, according to an company security bulletin.
The flaw, tracked as CVE-2026-34621, is a memory corruption issue that can allow local code execution. In practical terms, an attacker can trick a user into opening a specially crafted PDF file and gain control of the system—installing malware, stealing data, or moving laterally inside a network.
The vulnerability has been reassigned a high 8.6 CVSS severity score by the National Vulnerability Database. Originally the flaw was rated critical (9.6) with a network attack vector, however Adobe subsequently lowered the severity to 8.6 after changing the vector to local.
“Exploitation of this issue requires user interaction in that a victim must open a malicious file,” according to a description of the bug.
Adobe said the vulnerability impacts Acrobat DC and Acrobat Reader DC version 26.001.21367 and earlier, as well as Acrobat 2024 version 24.001.30356 and earlier. The company patched the issue in version 26.001.21411 for DC and Reader, 24.001.30362 for Windows-based Acrobat 2024, and 24.001.30360 for macOS.
The vulnerability came to light after Haifei Li, founder of the EXPMON exploit detection system, examined a suspicious PDF file submitted for analysis, “yummy_adobe_exploit_uwu.pdf.” He subsequently detailed his findings here.
