CVE-2026-34621
CISA KEVCritical client-side remote code execution vulnerability in Adobe Acrobat and Acrobat Reader caused by a use-after-free condition in the JavaScript-to-AcroForm bridge of the PDF rendering engine. When an attacker-supplied PDF triggers a crafted sequence of form field mutations while a referenced object is being garbage collected, the engine dereferences a stale pointer controlled via heap grooming, yielding arbitrary code execution in the context of the process. Exploitation requires only that the victim open the malicious PDF with no further user interaction. Observed in-the-wild exploitation pivots out of Reader Protected Mode sandbox via a second-stage broker abuse chain. Post-exploitation drops a loader to %APPDATA%\Adobe\Reader\ establishing persistence via Scheduled Task 'AdobeAcroUpdater' and beacons to HTTPS C2 on port 443. Targeted phishing campaigns between 2026-04-02 and 2026-04-09 delivered weaponized PDFs as invoices and contract lures against finance, legal, and defense industrial base targets in North America and Europe. Adobe shipped emergency out-of-band patch APSB26-18 on 2026-04-13. CISA added to KEV catalog on 2026-04-13.
CVSS v3 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416, CWE-787, CWE-1321
Threats tracking this CVE
- CVE-2026-34621: Adobe Acrobat and Reader Zero-Day Arbitrary Code Execution via Crafted PDF (Emergency Out-of-Band Patch) — CRITICAL
- CISA KEV Catalog Update: Seven Actively Exploited Vulnerabilities Added 2026-04-13 (Microsoft, Adobe, Fortinet) — CRITICAL
References
- https://nvd.nist.gov/vuln/detail/CVE-2026-34621
- https://helpx.adobe.com/security/products/acrobat/apsb26-18.html
- https://helpx.adobe.com/security/products/acrobat/apsb26-43.html
- https://socradar.io/blog/cve-2026-34621-adobe-acrobat-reader-0-day-pdf/
- https://www.cisa.gov/news-events/alerts/2026/04/13/adobe-releases-emergency-security-update
- https://www.bleepingcomputer.com/news/security/adobe-emergency-update-patches-exploited-acrobat-reader-zero-day/