CVE-2026-34621 in Adobe Acrobat and Reader: Actively Exploited Zero-Day (KEV)

📅 April 14, 2026 🔴 Exploit Risk: 0.584 📊 Intelligence Score: 64/100 📰 4 sources synthesized

TL;DR — Read this first

A critical Remote Code Execution (RCE) vulnerability, CVE-2026-34621, affects Adobe Acrobat and Reader.
CONFIRMED exploitation in the wild. CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on 2026-04-13.
An emergency patch is available from Adobe and must be applied immediately to all affected systems.

Intelligence Metadata

First Reported Byportal.auscert.org.au

Outbreak Velocity920 minutes spread to 4 unique domains

Consensus4 sources across 4 unique domains

CVSS Score9.6

EPSS Score0.00038 (3.8th percentile)

CISA KEV StatusConfirmed

Exploit Risk Score0.5842

Race LabelZERO-DAY RACE

Technical Analysis

CVE-2026-34621 is a critical Remote Code Execution (RCE) vulnerability in Adobe Acrobat and Reader. Public technical details on the specific vulnerability class are not yet available. However, the CVSS score of 9.6 indicates a low-complexity attack vector that likely requires minimal user interaction, such as opening a specially crafted PDF document. Successful exploitation allows an attacker to execute arbitrary code on the victim's system, potentially with the privileges of the logged-in user.

The attack chain is initiated when a user opens a malicious PDF file. The exploit triggers the underlying vulnerability within the PDF parsing engine, leading to code execution. This type of vulnerability is common in complex file format parsers and often involves memory corruption bugs. The high impact and low complexity ratings suggest that the exploit does not require special configurations or authenticated access to the target system.

Affected Systems

Vendor: Adobe

Affected Versions:

Adobe Acrobat
Adobe Reader

Exposure: Affects endpoints with vulnerable versions of Adobe Acrobat or Reader installed. Exploitation requires a user to open a malicious file.

Blast Radius: High. Adobe Acrobat and Reader are widely deployed across enterprise and consumer endpoints, making a large number of systems potentially vulnerable.

Intelligence Context

The primary driver for immediate action is the CONFIRMED evidence of active exploitation, as documented by its addition to the CISA KEV catalog on 2026-04-13. This designation overrides other metrics. Notably, the EPSS score is exceptionally low (0.00038), which would normally suggest a low probability of exploitation. This discrepancy is characteristic of a zero-day exploit used in targeted attacks before its discovery and public disclosure. Statistical models like EPSS require time and data to adjust to new threats, making the KEV catalog the authoritative source for prioritization in this case. The 'ZERO-DAY RACE' label accurately reflects the situation: defenders are responding to an exploit that was already in use by threat actors.

Remediation & Defense

Patch immediately. This is a CISA KEV-listed zero-day vulnerability under active exploitation. Prioritize patching on all systems, especially those used by high-risk users.

Patch Status: Available

Patch Version: Refer to Adobe security bulletin associated with AUSCERT alert ESB-2026.3505 for specific patched versions.

Workarounds:

No workarounds have been published. Patching is the only specified mitigation.

Detection Hints:

Monitor for suspicious child processes spawned by Acrobat.exe or AcroRd32.exe, such as cmd.exe or powershell.exe.
Use endpoint detection and response (EDR) tools to look for anomalous behavior from Adobe processes following the opening of a PDF document.

Source Timeline

portal.auscert.org.au — First reporter
bleepingcomputer.com — Public confirmation of patch
cisa.gov/kev — Official exploitation confirmation
cert.ssi.gouv.fr — Corroborating advisory
hkcert.org — Corroborating advisory

CVE-2026-34621 adobe acrobat reader vulnerability kev zero-day rce