A booby-trapped PDF can take over your computer. Adobe just fixed it. Update now.

Stop what you’re doing. Right now.

Adobe just pushed an emergency patch for a zero-day flaw that hackers have been exploiting since at least December 2025. Four months. Silently. While you opened PDFs without a second thought.

You open PDFs every single day. Your tax return. Your boarding pass. That contract you signed last week. Your bank statement. Your kid’s school form. Every one of them could have been weaponized, and you would have had absolutely no idea.

Here’s what makes this one particularly nasty.

🔍 What’s happening

The flaw is tracked as CVE-2026-34621. Yeah, I know. Means nothing to you. Here’s what it does. 

Hackers figured out how to hide malicious code inside a completely normal-looking PDF. It looks real. It opens normally. But the moment you open it, the hidden code runs. No extra clicks. No downloading anything. No warning. Open the file, and you’re done.

Once they’re in, attackers can steal files directly off your hard drive, grab passwords, pull in more malicious code from their own servers and potentially take complete control of your machine. This isn’t theoretical. This was happening. 

Researchers found attacks running in the wild going back to December. Adobe sat on it until a security researcher named Haifei Li caught it, went public and forced their hand.

CISA, the federal cybersecurity agency, added it to their Known Exploited Vulnerabilities list yesterday and gave federal agencies until April 27 to patch. When the government issues a deadline, pay attention.

🛡️ Fix it right now

Two minutes. Do this before you open another PDF from anyone.

1. Open Adobe Acrobat Reader.
2. Click Help in the top menu.
3. Select Check for Updates.
4. Install everything.

You need version 26.001.21411 or higher. Acrobat 2024 users need 24.001.30362 on Windows or 24.001.30360 on Mac. Check your version under Help > About Adobe Acrobat Reader.

Can’t update at the moment? Don’t open any PDF you weren’t expecting. Even from someone you know. Attackers spoof senders. That email that looks like it’s from your bank or your accountant or your doctor? Could be bait.

The attacks researchers caught used Russian-language oil and gas industry documents, which points to a nation-state behind this. Those don’t stay targeted. They spread. They evolve. Your name doesn’t have to be on a list for you to get hit.

Update now. Who knew Adobe Reader could give you a paper cut this bad?

📩 Send this to someone who opens PDFs all the time, at work, does their own taxes or has never once updated Adobe Reader. So, most people you know.