Adobe Reader Had a Zero-Day in the Wild for Four Months Before Anyone Patched It

John Z Black Apr 11, 2026 Vulnerabilities & Patching #adobe-reader #zero-day #cve-2026-34621 #pdf-security #javascript-engine

Patch first. CVE-2026-34621 is available right now and you want it. CVSS 9.6, actively exploited, no good reason to wait.

Now for the uncomfortable part.

The first malicious sample showed up on VirusTotal on November 28, 2025. A file called “Invoice540.pdf.” It sat there while attackers used it in the real world. Adobe shipped the fix this week, in April 2026. That’s over four months of active exploitation before a patch existed.

Four months where opening the wrong PDF in Adobe Reader could get your machine owned.

The fix is out. Get it. But also think about what a four-month window means for your exposure, and whether Adobe Reader needs to be the default PDF handler on every machine in your environment.

The full story on what was exploited, how long it was live, and what to do now