Full Report
Adobe has released an emergency security update for Acrobat Reader to fix a vulnerability, tracked as CVE-2026-34621, that has been exploited in zero-day attacks since at least December. [...]
Analysis Summary
# Vulnerability: Acrobat Reader Sandbox Bypass and Arbitrary File Access
## CVE Details
- **CVE ID:** CVE-2026-34621
- **CVSS Score:** 8.6 (High) - *Modified from initial 9.6 rating*
- **CWE:** Sandbox Escape / Privilege Escalation (Specific CWE not provided, but involves improper restriction of privileged APIs).
## Affected Systems
- **Products:** Adobe Acrobat DC, Acrobat Reader DC, and Acrobat 2024.
- **Versions:**
- **Acrobat DC / Reader DC:** Versions 26.001.21367 and earlier (Windows and macOS).
- **Acrobat 2024:** Versions 24.001.30356 and earlier.
- **Configurations:** Systems where restricted JavaScript APIs can be invoked via malicious PDF documents.
## Vulnerability Description
CVE-2026-34621 is a critical vulnerability that allows a specially crafted PDF file to bypass Adobe’s sandbox restrictions. By escaping the sandbox, the exploit can invoke privileged JavaScript APIs that are normally restricted for security reasons. Specifically, attackers abuse the `util.readFileIntoStream()` API to read local files from the victim's machine and use `RSS.addFeed()` to exfiltrate that data or fetch secondary malicious payloads from attacker-controlled servers.
## Exploitation
- **Status:** **Exploited in the wild** as a zero-day since December.
- **Complexity:** Low (No user interaction required beyond opening the file).
- **Attack Vector:** Local (Initial vector was cited as Network, then revised to Local).
## Impact
- **Confidentiality:** High (Ability to read and steal arbitrary local files).
- **Integrity:** High (Potential for arbitrary code execution and fetching additional malware).
- **Availability:** High (Potential for system compromise).
## Remediation
### Patches
Adobe recommends updating to the following versions immediately:
- **Acrobat DC / Acrobat Reader DC:** Version 26.001.21411 or higher.
- **Acrobat 2024 (Windows):** Version 24.001.30362 or higher.
- **Acrobat 2024 (macOS):** Version 24.001.30360 or higher.
Users should navigate to **Help > Check for Updates** within the application to apply the fix.
### Workarounds
- No official vendor workarounds are available.
- **General Mitigation:** Exercise extreme caution when opening PDF files from unsolicited sources. Open suspicious files in an isolated or non-persistent virtual environment.
## Detection
- **Indicators of Compromise (IoC):**
- File Name: `_yummy_adobe_exploit_uwu.pdf`
- SHA-256 Hash: `65dca34b04416f9a113f09718cbe51e11fd58e7287b7863e37f393ed4d25dde7`
- Lures: Russian-language documents related to the oil and gas industry.
- **Detection Methods:** Security solutions using "detection in depth" for PDF JavaScript execution may identify the misuse of the `util.readFileIntoStream()` and `RSS.addFeed()` APIs.
## References
- **Vendor Advisory:** hxxps[://]helpx[.]adobe[.]com/security/products/acrobat/apsb26-43[.]html
- **EXPMON Analysis:** hxxps[://]pub[.]expmon[.]com/analysis/328131/
- **Researcher Blog:** hxxps[://]justhaifei1[.]blogspot[.]com/
- **VirusTotal Report:** hxxps[://]www[.]virustotal[.]com/gui/file/65dca34b04416f9a113f09718cbe51e11fd58e7287b7863e37f393ed4d25dde7