Adobe released an emergency update for Acrobat and Acrobat Reader to fix CVE-2026-34621, a zero-day exploited since at least December that lets malicious PDFs bypass sandboxing and invoke privileged JavaScript APIs. The observed exploit abuses functions like util.readFileIntoStream() and RSS.addFeed() to read and exfiltrate arbitrary local files without additional user interaction. #CVE-2026-34621 #AcrobatReader
Keypoints
- Adobe issued emergency patches for Acrobat and Acrobat Reader to remediate CVE-2026-34621.
- The vulnerability allows malicious PDFs to bypass sandbox restrictions and call privileged JavaScript APIs.
- Exploits use APIs such as util.readFileIntoStream() and RSS.addFeed() to read and exfiltrate local files without user interaction.
- Researcher Haifei Li of EXPMON discovered the issue after analyzing a sample named “yummy_adobe_exploit_uwu.pdf”.
- Adobe initially rated the flaw as critical then lowered the severity after changing the attack vector to local; users should apply the updates immediately.