Adobe releases emergency patch for actively exploited Acrobat Reader zero-day we reported Thursday (CVE-2026-34621)

Adobe has released an emergency security update (APSB26-43, priority-1) to patch CVE-2026-34621, the Adobe Reader zero-day we reported on April 10 that had been exploited since December 2025 via malicious PDF documents. The flaw has now been classified as a prototype pollution vulnerability leading to arbitrary code execution - more severe than the initial fingerprinting and data theft we described. Adobe confirmed it's worse than just information leakage: the underlying bug can achieve full RCE, not just the reconnaissance stage observed in early exploitation. CVSS was initially scored 9.6 but Adobe revised it down to 8.6 after changing the attack vector from Network to Local. EXPMON researcher Haifei Li, who first disclosed the flaw, was credited by Adobe. All users on Windows and macOS should update immediately - Adobe assigned this patch its highest priority rating.

Check

Update Adobe Acrobat and Reader immediately. If you disabled JavaScript in Reader based on our April 10 advisory, you should still update - the patch fixes the root cause.

Affected

All versions of Adobe Acrobat and Reader on Windows and macOS prior to the APSB26-43 patch. Adobe confirmed exploitation in the wild since at least December 2025.

Fix

Update Adobe Acrobat and Reader via Help > Check for Updates, or download from the Adobe Security Bulletin APSB26-43. This is a priority-1 patch - Adobe recommends installation within 72 hours. Keep Acrobat JavaScript disabled as defense-in-depth even after patching. Continue blocking the C2 indicator supp0v3[.]com and User-Agent string 'Adobe Synchronizer' at the network level.