A flaw in Adobe Acrobat Reader’s JavaScript engine went unfixed for more than a year after researchers found it, according to a new Exodus Intelligence analysis that shows how a malicious PDF could turn a memory error into code execution.
Adobe patched a related cluster of Acrobat and Reader vulnerabilities in April, including one critical flaw the company said was already being exploited in the wild.
Exodus on Monday published a detailed technical analysis of a use-after-free vulnerability in Adobe Reader’s Escript.api module, a component that handles embedded JavaScript inside PDF documents. Exodus said the bug was found in February 2025, patched in April 2026 and was likely assigned to high severity flaws CVE-2026-34621 and CVE-2026-34622 or CVE-2026-34626, rated medium severity. The company did not definitively map the flaw to one CVE.
According to Exodus the attack only required a target to open a maliciously crafted PDF file that contained the flaw.
“This vulnerability can be exploited without any other bug in Adobe Reader 32-bit,” Exodus wrote.
Exodus said the exploit chain for 32-bit Reader could bypass Data Execution Prevention, Address Space Layout Randomization and Control Flow Guard. For 64-bit Reader, Exodus said an attacker would still need a way to bypass PartitionAlloc to gain arbitrary read/write capability. PartitionAlloc is Chromium’s hardened memory allocator, also used by Acrobat Reader, that manages how memory is carved up, reused and protected to make bugs such as use-after-free harder to exploit.
Adobe issued a priority 1 patch April 11 under bulletin APSB26-43 for CVE-2026-34621, a critical prototype-pollution vulnerability that could lead to arbitrary code execution. Adobe said at the time that it was aware the flaw was being exploited in the wild.
The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2026-34621 to its Known Exploited Vulnerabilities catalog two days later, on April 13, and gave federal civilian agencies until April 27 to apply vendor mitigations or discontinue use of the affected product if fixes were unavailable.
The National Vulnerability Database lists CVE-2026-34621 as affecting Acrobat DC and Acrobat Reader DC Continuous versions earlier than 26.001.21411 on Windows and macOS. NVD also notes that exploitation requires user interaction, meaning a target would have to open a malicious file or otherwise interact with attacker-supplied content.
How the patch reaches users
Adobe said the fix is available through Acrobat and Reader’s normal update channels. End users can manually update by opening Acrobat or Acrobat Reader and selecting Help > Check for Updates. Adobe also says Acrobat can automatically check for and install important updates when the automatic update setting is enabled.
Adobe says Acrobat updates are rolled out gradually, and enterprise environments often control how and when updates are deployed. In managed environments, Adobe says administrators can push updates through AIP-GPO, bootstrapper installs, SCUP/SCCM on Windows, or Apple Remote Desktop and SSH on macOS. Adobe also supports Remote Update Manager and internal update servers for organizations that stage updates before deployment.
The affected Acrobat Reader DC Continuous versions were 26.001.21367 and earlier. The fixed Continuous version is 26.001.21411. Acrobat 2024 users need version 24.001.30362 on Windows or 24.001.30360 on macOS.
Public exploitation details remain thin
Public reporting on exploitation remains limited, with no widely reported victim names or confirmed campaign attribution.
The clearest public evidence comes from EXPMON founder Haifei Li, who reported April 7 that EXPMON had detected a malicious PDF exploiting an unpatched Adobe Reader flaw. The sample was submitted to EXPMON on March 26 and had appeared on VirusTotal on March 23. Li later said a new variant found by another researcher had appeared on VirusTotal on Nov. 28, 2025, suggesting the campaign had been active for at least four months before Adobe’s patch.
The gap between Exodus’ February 2025 discovery date and Adobe’s April 2026 patch remains unclear. The Exodus post does not say when Adobe was notified, and Adobe’s bulletin does not explain the timing. Security Point Break has asked Adobe when it received the report, when it validated the flaw and why the fix was released in April 2026.
How the bug worked
The bug sits in the part of Adobe Reader that lets PDF files run JavaScript. That feature is useful for interactive forms and document workflows, but it also gives attackers a place to look for memory-safety mistakes.
In plain English, Exodus found a way to make Reader lose track of an object in memory.
Reader was using two internal systems to manage the same object. One system counted whether the object was still needed. The other kept a pointer to the object on an internal stack so Reader could return to it later. Under normal conditions, both systems should agree. The malicious PDF broke that agreement.
According to Exodus, an attacker could abuse a JavaScript feature called defineGetter() to change how a built-in Reader object behaves when Reader tries to convert it into text. That trick can force Reader into repeated internal calls until its native C++ stack limit is reached. When Reader hits that limit, it throws an exception and starts cleaning up.
That is where the bug appears. One cleanup path decides the object is no longer needed and frees it from memory. But the second bookkeeping system still holds a pointer to the same object. Reader now has a reference to memory that has already been released.
That condition is called a use-after-free. It is dangerous because attackers can sometimes refill the freed memory with data they control. If the application later follows the stale pointer, it may treat attacker-controlled data as if it were a legitimate internal object.
Exodus said its proof-of-concept showed how that mistake could be turned into code execution against 32-bit Adobe Reader. The exploit chain bypassed several Windows defenses, including Data Execution Prevention, Address Space Layout Randomization and Control Flow Guard. Those protections are designed to make memory-corruption bugs harder to exploit, not impossible to exploit.
Adobe’s warning means a malicious PDF could cause Acrobat Reader to run code chosen by an attacker, in the context of the user who opened the file. However, the flaw does not automatically give an attacker administrator rights on every system, but it could give an attacker a foothold, especially if the user has broad local privileges or if the attacker chains it with another bug, according to the NIST CVE record.
Why PDFs remain useful to attackers
The Adobe bug lands in a threat environment where PDF files remain a common delivery vehicle.
HP Wolf Security said PDF files accounted for 11% of threats stopped by its own HP Sure Click in the third quarter of 2025 (PDF), up 3 percentage points from the prior quarter. Email remained the leading delivery vector, accounting for 67% of threats, and at least 11% of email threats caught by HP had bypassed one or more email gateway scanners.
The HP report does not say those PDF threats exploited Acrobat Reader vulnerabilities. In fact, HP described recent PDF campaigns that used social engineering rather than software exploits, including fake Adobe update pages and PDF lures that pushed users toward malware downloads. While the Exodus research underscores how a crafted PDF can exploit Reader itself, while HP’s telemetry shows why PDFs remain a reliable way to reach users (PDF).
The Acrobat bug fits a familiar pattern: attackers keep finding value in old, trusted software features that remain enabled because enterprises still depend on them.
Adobe said in 2026 that people open more than 400 billion PDFs and send more than 200 million PDFs in Acrobat every year. The PDF format also has long since moved beyond Adobe’s sole control and is maintained as an international standard, ISO 32000-2.
Defenders are advised to verify the installed version and not to trust that automatic updates have fixed all versions of Adobe deployed throughout a network. Stale VDI images, golden images, offline laptops, disabled update services, tightly managed enterprise builds and users who rarely open Acrobat can all easily be overlooked within a patching regiment.
Adobe Reader DC Continuous should be updated to 26.001.21411 or later. Acrobat 2024 should be updated to 24.001.30362 on Windows or 24.001.30360 on macOS.
Photo by Rubaitul Azad on Unsplash
