Adobe Acrobat Reader Vulnerabilities Let Attackers Execute Arbitrary Code

Adobe has released a critical security bulletin on April 14, 2026, to address multiple vulnerabilities in Adobe Acrobat and Reader for Windows and macOS.

According to the official advisory, successful exploitation of these flaws could allow attackers to execute arbitrary code or read arbitrary files on a targeted system.

While these threats carry high severity ratings, Adobe confirmed that they are not currently aware of any active exploits in the wild.

Arbitrary code execution is particularly dangerous in document readers, as threat actors frequently use phishing emails to trick victims into opening weaponized files.

Once a malicious PDF is opened, an attacker could silently install malware, steal sensitive data, or establish a foothold within a corporate network.

Adobe Acrobat Reader Vulnerabilities

The latest security patch addresses two specific vulnerabilities. Both are categorized as Improperly Controlled Modification of Object Prototype Attributes, commonly known as Prototype Pollution (CWE-1321).

This type of flaw occurs when a script manipulates standard object behavior, allowing attackers to bypass security controls.

The security bulletin highlights the following technical details:

• CVE-2026-34622: A critical vulnerability with a high CVSS base score of 8.6, allowing arbitrary code execution in the context of the current user, was reported by a security researcher known as YH from Zscaler.
• CVE-2026-34626: Rated as important with a CVSS base score of 6.3, this flaw could result in arbitrary file system reads and expose sensitive local data, discovered by researcher greenapple.

These security flaws affect multiple tracks of Adobe’s PDF software on both Windows and macOS.

Users running outdated software are at risk of potential compromise if they interact with a maliciously crafted document.

The affected products include:

• Acrobat DC and Acrobat Reader DC (Continuous Track) versions 26.001.21411 and earlier for both Windows and macOS.
• Acrobat 2024 (Classic Track) version 24.001.30362 and earlier for Windows.
• Acrobat 2024 (Classic Track) version 24.001.30360 and earlier for macOS.

Mitigations

Adobe rated these updates as Priority 2, meaning no active exploits are known, but patches should be applied promptly to prevent future attacks.

Adobe strongly recommends updating software installations to the newly patched versions: 26.001.21431 for the Continuous Track and 24.001.30365 for the Classic 2024 Track.

Users and IT administrators can secure their environments using the following methods:

• Open the Adobe application and manually trigger the patch by navigating to Help and selecting Check for Updates.
• Rely on automatic updates if enabled, which will patch the software in the background without requiring manual user intervention.
• Download the latest full installer directly from the official Adobe Acrobat Reader Download Center.
• Deploy updates across managed enterprise environments using standard administrative tools such as SCCM for Windows or Apple Remote Desktop for macOS.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Adobe Acrobat Reader Vulnerabilities Let Attackers Execute Arbitrary Code appeared first on Cyber Security News.