Critical Adobe Acrobat Reader Vulnerabilities Expose Users to Arbitrary Code Execution
Adobe has recently addressed critical security vulnerabilities in its Acrobat and Reader applications for Windows and macOS, which could allow attackers to execute arbitrary code or read sensitive files on affected systems. These vulnerabilities, identified as CVE-2026-34622 and CVE-2026-34626, have been patched in the latest software updates.
Understanding the Vulnerabilities
Both vulnerabilities are categorized under Prototype Pollution, a flaw that enables attackers to manipulate JavaScript objects and properties within an application. This manipulation can lead to unauthorized actions, such as arbitrary code execution or unauthorized file access.
– CVE-2026-34622: This critical vulnerability has a CVSS base score of 8.6. Exploitation could allow attackers to execute arbitrary code in the context of the current user. It was reported by a security researcher known as YH from Zscaler.
– CVE-2026-34626: Rated as important with a CVSS base score of 6.3, this flaw could result in arbitrary file system reads, potentially exposing sensitive local data. It was discovered by researcher greenapple.
Affected Versions
The vulnerabilities impact multiple versions of Adobe’s PDF software on both Windows and macOS platforms:
– Acrobat DC and Acrobat Reader DC (Continuous Track): Versions 26.001.21411 and earlier.
– Acrobat 2024 (Classic Track): Version 24.001.30362 and earlier for Windows; version 24.001.30360 and earlier for macOS.
Potential Risks
While Adobe has stated that there are currently no known active exploits for these vulnerabilities, the risks associated with arbitrary code execution are significant. Attackers often use phishing emails to trick users into opening malicious PDF files. Once opened, these files can install malware, steal sensitive information, or provide attackers with a foothold within a corporate network.
Mitigation Measures
Adobe has classified these updates as Priority 2, indicating that while there are no known active exploits, users should apply the patches promptly to prevent potential attacks.
To secure your environment:
1. Update Your Software: Ensure that your Adobe Acrobat and Reader installations are updated to the latest versions:
– Continuous Track: Version 26.001.21431.
– Classic 2024 Track: Version 24.001.30365.
2. Manual Update: Open the Adobe application, navigate to the Help menu, and select Check for Updates to manually trigger the update process.
3. Automatic Updates: If enabled, automatic updates will patch the software in the background without requiring user intervention.
4. Direct Download: Download the latest full installer from the official Adobe Acrobat Reader Download Center.
5. Enterprise Deployment: For managed enterprise environments, deploy updates using administrative tools such as SCCM for Windows or Apple Remote Desktop for macOS.
Conclusion
Maintaining up-to-date software is crucial in safeguarding systems against potential threats. Users and administrators are strongly encouraged to apply these updates promptly to mitigate the risks associated with these vulnerabilities.
