Full Report
Adobe has released emergency updates to fix a critical security flaw in Acrobat Reader that has come under active exploitation in the wild. The vulnerability, assigned the CVE identifier CVE-2026-34621, carries a CVSS score of 8.6 out of 10.0. Successful exploitation of the flaw could allow an attacker to run malicious code on affected installations. It has been described as
Analysis Summary
# Vulnerability: Adobe Acrobat Reader Prototype Pollution and Remote Code Execution
## CVE Details
- **CVE ID**: CVE-2026-34621
- **CVSS Score**: 8.6 (High)
- **CWE**: CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes - 'Prototype Pollution')
## Affected Systems
- **Products**: Adobe Acrobat DC, Acrobat Reader DC, and Acrobat 2024
- **Versions**:
- Acrobat DC/Reader DC: versions 26.001.21367 and earlier (Windows and macOS)
- Acrobat 2024: versions 24.001.30356 and earlier (Windows and macOS)
- **Configurations**: Systems where users open untrusted PDF documents containing malicious JavaScript code.
## Vulnerability Description
CVE-2026-34621 is a prototype pollution vulnerability residing in the JavaScript engine used by Adobe Acrobat and Reader. The flaw allows an attacker to manipulate the attributes and properties of application objects. By injecting properties into the root object prototype, an attacker can influence application behavior to bypass security restrictions and achieve arbitrary code execution (RCE) within the context of the affected installation.
## Exploitation
- **Status**: Exploited in the wild (Zero-day). Reports indicate activity as early as December 2025.
- **Complexity**: Not specified (typically Medium for prototype pollution to RCE chains).
- **Attack Vector**: Local (Note: Initially reported as Network, but revised by Adobe to Local as exploitation requires the user to open a malicious file locally).
## Impact
- **Confidentiality**: High (Potential for full system access/data exfiltration)
- **Integrity**: High (Execution of arbitrary code)
- **Availability**: High (System compromise or application crash)
## Remediation
### Patches
Adobe has released emergency updates to address this flaw. Users should update to the following versions:
- **Acrobat DC / Reader DC**: Update to version 26.001.21411
- **Acrobat 2024 (Windows)**: Update to version 24.001.30362
- **Acrobat 2024 (macOS)**: Update to version 24.001.30360
### Workarounds
- Exercise extreme caution when opening PDF files from unknown or untrusted sources.
- Disable JavaScript in Adobe Acrobat Reader (Preferences > JavaScript > Uncheck "Enable Acrobat JavaScript"), though this may break functionality in certain PDF forms.
## Detection
- **Indicators of Compromise**: Presence of specially crafted PDF documents containing suspicious JavaScript objects or logic designed to pollute the `__proto__` or `constructor` properties.
- **Detection methods**: Employ Endpoint Detection and Response (EDR) tools to monitor for unusual child processes spawned by `AcroRd32.exe` or `Acrobat.exe`.
## References
- Adobe Security Advisory: hxxps[://]helpx[.]adobe[.]com/security/products/acrobat/apsb26-43[.]html
- EXPMON Disclosure: hxxps[://]thehackernews[.]com/2026/04/adobe-reader-zero-day-exploited-via[.]html
- CWE-1321 Definition: hxxps[://]cwe[.]mitre[.]org/data/definitions/1321[.]html