https://helpx.adobe.com/security/products/acrobat/apsb26-43.html
Adobe has released an emergency security update to address a critical vulnerability in Acrobat and Acrobat Reader, tracked as CVE-2026-34621, which has been exploited in zero-day attacks since at least December. The flaw allows malicious PDF files to bypass sandbox restrictions and invoke privileged JavaScript APIs, enabling arbitrary code execution and the theft of local files, all without requiring any user interaction beyond opening the document. The exploit specifically abuses APIs such as util.readFileIntoStream() to read local files and RSS.addFeed() to exfiltrate stolen data and fetch additional attacker-controlled code.
The vulnerability was uncovered by a security researcher after a PDF sample ominously named “yummy_adobe_exploit_uwu.pdf” was submitted for analysis on March 26. The file had already been uploaded to VirusTotal three days earlier, where only five of 64 security vendors flagged it as malicious.
Following the report, Adobe published a security bulletin over the weekend, initially rating the flaw as critical at 9.6 before revising the severity score to 8.6. Affected products include Acrobat DC and Acrobat Reader DC versions 26.001.21367 and earlier, as well as Acrobat 2024 versions 24.001.30356 and earlier, across both Windows and macOS. Adobe has listed no workarounds or mitigations, making the security update the only recommended course of action.