CVE-2026-34621

Adobe Acrobat & Reader — Zero-Day JavaScript Prototype Pollution Leading to Arbitrary Code Execution
⚠️ CVSS 3.1  8.6 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What is Adobe Acrobat and Reader?

Adobe Acrobat and Acrobat Reader are the world's most widely deployed PDF applications, installed on hundreds of millions of endpoints globally. PDF documents embed JavaScript support via Acrobat's built-in JavaScript engine — a feature used for interactive forms, automated workflows, and dynamic content. This JavaScript engine is also the attack surface exploited in CVE-2026-34621. Because Acrobat is a trusted, everyday application used to open documents from email attachments and the web, malicious PDFs are among the most effective phishing payloads in use today.

Overview

Zero-Day — Actively Exploited Since November 2025. CVE-2026-34621 was exploited in the wild for approximately five months before Adobe issued an emergency out-of-band patch on April 11, 2026. CISA added it to the Known Exploited Vulnerabilities catalog the same day the patch was released. Apply updates immediately.

CVE-2026-34621 is a prototype pollution zero-day vulnerability (CWE-1321) in the JavaScript engine embedded in Adobe Acrobat and Reader. A malicious PDF containing crafted JavaScript can corrupt the base Object.prototype chain, causing the application to execute attacker-controlled code with the privileges of the current user. The CVSS Scope: Changed rating (8.6) reflects that successful exploitation can impact components beyond the Acrobat process boundary.

Affected Versions

Product Track Vulnerable Version Fixed Version
Acrobat DC / Reader DC (Continuous) 26.001.21367 and earlier 26.001.21411
Acrobat 2024 / Reader 2024 (Classic) 24.001.30356 and earlier 24.001.30362 (Win) / 24.001.30360 (Mac)

Both Windows and macOS platforms are affected.

Technical Details

Root cause: JavaScript Prototype Pollution (CWE-1321)

Prototype pollution is a class of vulnerability specific to JavaScript (and other prototype-based languages). Every JavaScript object inherits properties from Object.prototype — the root of the prototype chain. If an application does not sanitize user-controlled keys before assigning properties to objects, an attacker can inject properties directly onto Object.prototype using keys like __proto__, constructor, or prototype.

Once Object.prototype is poisoned, all objects in the application that access a non-existent property will encounter the attacker's injected value through prototype chain lookup. In a complex application like Acrobat's JavaScript engine, this can corrupt security-sensitive code paths, override internal configuration flags, or hijack function references — ultimately leading to arbitrary code execution.

Exploit flow:

  1. Deliver malicious PDF: Attacker sends a PDF (via email, download link, or document share) containing embedded JavaScript
  2. Trigger prototype pollution: The PDF's JavaScript uses a crafted property assignment (e.g., via JSON.parse or an object merge operation without key sanitization) to inject malicious properties onto Object.prototype
  3. Influence application behavior: Acrobat's internal JavaScript code — operating in the same engine context — encounters the poisoned prototype when accessing properties on various objects, triggering security-sensitive code paths
  4. Code execution: The attacker's injected logic is invoked in a security-sensitive context, achieving arbitrary code execution in the context of the Acrobat process

Attack characteristics:

  • Authentication required: None
  • Complexity: Low — prototype pollution techniques are well-understood
  • User interaction: Required — victim must open the malicious PDF
  • Scope: Changed — exploitation can affect the host OS environment beyond the Acrobat process sandbox

Why "Scope: Changed" matters: The elevated CVSS score (8.6 vs. the typical 7.8 for local RCE requiring UI) reflects that Acrobat's sandboxing can be escaped or bypassed as part of the exploit chain, allowing impact on the broader operating system.

Exploitation Context

This vulnerability was exploited as a zero-day for approximately five months before Adobe became aware and issued a patch. The prolonged exploitation window suggests it was either:

  • Discovered and held privately by a threat actor (nation-state or cybercrime group) using it for targeted attacks, or
  • Circulating in limited criminal markets before broader adoption

The emergency out-of-band patch — Adobe typically releases Acrobat updates only on scheduled Patch Tuesdays — signals the severity of confirmed active exploitation. PDF-based zero-days with this profile are frequently used in targeted campaigns against journalists, legal professionals, government contractors, and financial institutions.

Remediation

  1. Update Adobe Acrobat and Reader immediately via Help → Check for Updates:
    • Acrobat DC / Reader DC: update to 26.001.21411 or later
    • Acrobat 2024: update to 24.001.30362 (Windows) or 24.001.30360 (macOS) or later
  2. Enable automatic updates to prevent future zero-day windows: Edit → Preferences → Updater → Automatically install updates
  3. Disable Acrobat JavaScript in environments that do not require interactive PDF forms, as a defense-in-depth measure: Edit → Preferences → JavaScript → uncheck "Enable Acrobat JavaScript"
  4. Enable Enhanced Security / Protected View for files from untrusted sources: Edit → Preferences → Security (Enhanced) → Enable Enhanced Security
  5. Block malicious PDFs at the email gateway — configure email security tools to sandbox PDF attachments and strip or warn on PDFs with embedded JavaScript.
  6. Consider using an alternative PDF viewer for general document consumption (e.g., browser-based PDF rendering) and reserve Acrobat only for documents requiring full feature support.
  7. Audit for macOS exposure — confirm macOS endpoints running Acrobat are updated; the macOS fixed version (24.001.30360) differs from the Windows build number.

Key Details

PropertyValue
CVE ID CVE-2026-34621
Vendor / Product Adobe — Acrobat and Reader
NVD Published2026-04-11
NVD Last Modified2026-04-13
CVSS 3.1 Score8.6
CVSS 3.1 VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
SeverityHIGH
CWE CWE-1321 — Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution)
CISA KEV Added2026-04-13
CISA KEV Deadline2026-04-27
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2026-04-27. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Timeline

DateEvent
2025-11-01Earliest known in-the-wild exploitation of CVE-2026-34621 (estimated; exact date unconfirmed)
2026-04-11Adobe releases emergency out-of-band patch APSB26-43; zero-day publicly disclosed
2026-04-13CVE published on NVD; added to CISA Known Exploited Vulnerabilities catalog same day
2026-04-27CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2026-34621 Vulnerability Database
CISA KEV Catalog Entry US Government
Adobe Security Bulletin APSB26-43 Vendor Advisory / Patch
Help Net Security — Adobe Issues Emergency Fix for CVE-2026-34621 Security News
The Hacker News — Adobe Patches Actively Exploited Acrobat Reader Flaw Security News
Security Affairs — Adobe Fixes Actively Exploited CVE-2026-34621 Security News
Cybersecurity News — Adobe Patches Acrobat Reader 0-Day Security News
CWE-1321 — Prototype Pollution Weakness Classification

Last updated: 2026-04-13

Gavin Hollinger & AI assembled this air-gap friendly HTML