Of the 26 security holes fixed in the Windows and macOS versions of Acrobat and Reader, 16 have been assigned a “critical” severity rating (high severity based on their CVSS score), and a majority are memory-related issues that can be exploited for arbitrary code execution.

Four of these critical vulnerabilities — CVE-2021-44704 through CVE-2021-44707 — were disclosed by four different teams at China’s Tianfu Cup hacking contest.

Tianfu Cup organizers offered up to $60,000 for Reader exploits that achieved remote code execution with a sandbox escape. Researchers earned a total of $1.9 million at the event that took place in October.