Four months. That's how long CVE-2026-34621 was being used against real targets before Adobe shipped a fix.
Not a proof-of-concept. Not a theoretical demo. Active, in-the-wild exploitation, inside documents that looked like ordinary PDFs, against actual users, from at least December 2025 through April 11, 2026.
The patch dropped Saturday. If your Acrobat Reader isn't updated yet, this is the part where you stop reading and go do that.
What the Vulnerability Is
CVE-2026-34621 is a prototype pollution bug in Adobe Acrobat Reader, CVSS 8.6. Prototype pollution is a class of vulnerability specific to JavaScript runtime environments where an attacker can manipulate the base prototype of objects, effectively poisoning properties across the application's entire object graph.
In this case, a specially crafted PDF delivers malicious JavaScript that Adobe Reader executes as part of its scripting engine. The exploit corrupts the object prototype in a way that leads to arbitrary code execution. Meaning: open the PDF, run code. That code runs as you, under your permissions, on your machine.
Adobe's advisory (APSB26-43) initially rated the attack vector as Network, which was confusing, then revised it on April 12 to Local. The practical impact is the same either way: opening a malicious PDF is all it takes.
Four Months Is a Long Time
Security researcher Haifei Li and the team at EXPMON are credited with finding this. Their disclosure revealed that exploitation started as far back as December 2025, which means attackers had this working for roughly four months before it was publicly disclosed and patched.
That's not unusual in the world of zero-days. What makes it notable is that PDF-based delivery is old, reliable, and trusted. People open PDFs from email attachments. From intranet portals. From "secure" document sharing systems. From vendors. From HR.
A PDF that runs malicious JavaScript and triggers memory corruption doesn't need a phishing lure that says "URGENT: click here." It just needs to be opened. That's the attack surface.
I've seen this pattern a lot in client environments. The perimeter gets hardened, email filtering improves, people get phishing training. Then someone sends a report in PDF format and the whole exercise is irrelevant. Document-based exploitation persists because documents are functionally trusted objects in most organizations.
What to Do
The fix is straightforward.
Update Adobe Acrobat DC to version 26.001.21411. Update Acrobat 2024 to 24.001.30362 (Windows) or 24.001.30360 (macOS). Run the update now, not at the next patch cycle, not during your quarterly maintenance window. This was being exploited for four months. It'll keep being exploited until you patch.
If you're managing endpoints at scale: APSB26-43 carries a Priority 1 rating from Adobe, meaning they believe exploitation is imminent or ongoing against current versions. Treat it as a P1 accordingly.
If your organization is still running Acrobat 2020 or Reader XI for legacy reasons, those versions are not listed as receiving patches. You have a different problem.
The Wider Point
Adobe Reader sits on almost every managed laptop in the enterprise. It's installed by default in many images, required by countless internal workflows, and treated as infrastructure-level software that gets patches the same week everyone gets around to it. That's the wrong posture.
PDF readers are a persistent exploitation target precisely because they have broad deployment, rich scripting capabilities, and legacy trust. Four months of silent exploitation should reset some assumptions about how quickly document-processing software needs to be patched.
Patch. Verify. Move on.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you want the uncomfortable conversation before the incident report.