Adobe Acrobat Reader Zero-Day CVE-2026-34621: Prototype Pollution RCE Exploited Since December

Adobe issued emergency security bulletin APSB26-43 on April 11, 2026, patching CVE-2026-34621 — a critical prototype pollution vulnerability in Adobe Acrobat and Reader that has been under active exploitation since at least December 2025. The company confirmed it is “aware of CVE-2026-34621 being exploited in the wild” and assigned the fix a Priority 1 rating, its highest urgency tier.

What Happened

Security researcher and EXPMON founder Haifei Li disclosed details of zero-day exploitation of the flaw, observing attacks that execute arbitrary code through malicious JavaScript embedded in specially crafted PDF documents. Evidence of in-the-wild exploitation predates disclosure by months, with forensic indicators pointing to attacks as far back as December 2025.

Adobe initially scored the vulnerability CVSS 9.6 with a Network attack vector, then revised the advisory on April 12, 2026 to adjust the attack vector to Local (AV:L), bringing the score down to 8.6. The adjustment reflects that exploitation requires a victim to open a malicious file rather than a purely remote trigger — but this distinction matters little in practice since PDF opening is a universal daily workflow in enterprise environments.

Technical Details

CVE: CVE-2026-34621
Advisory: APSB26-43
CWE: CWE-1321 — Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution)
CVSS: 8.6 (revised from 9.6)
Attack vector: Local (requires victim to open a malicious file)
Affected platforms: Windows and macOS

Affected versions:

• Acrobat Reader 24.001.30356 and earlier
• Acrobat Reader 26.001.21367 and earlier

Fixed version: 26.001.21411

The vulnerability is a JavaScript prototype pollution bug in Acrobat Reader’s scripting engine. Prototype pollution attacks work by injecting malicious properties into JavaScript’s Object.prototype. Because JavaScript’s prototype chain lookup traverses up to Object.prototype when a property isn’t found on an object directly, attacker-controlled values propagate into security-sensitive code paths throughout the application.

In Acrobat Reader’s case, the exploit path goes through PDF-embedded JavaScript. PDFs support a rich scripting environment via the Acrobat JavaScript API, and the prototype pollution allows an attacker to subvert internal application logic — ultimately achieving arbitrary code execution in the context of the current user. The malicious PDF appears inert to standard inspection; the payload activates when the JavaScript engine processes the document.

Impact Assessment

This affects any organization or individual running unpatched Adobe Acrobat or Reader on Windows or macOS. The attack surface is enormous:

• PDFs arrive via email attachments, browser downloads, file shares, and collaborative platforms
• No user interaction beyond opening the file is required for exploitation
• The compromised process runs with the privileges of the current user, making this a reliable initial access vector
• Combined with a local privilege escalation, this becomes a full host compromise chain
• Active exploitation since December 2025 means organizations running endpoint detection have had months of exposure

Environments most at risk: legal, financial, and healthcare organizations with heavy PDF workflows; corporate environments where PDFs are routinely opened from external sources; and any user who previews PDFs directly in a browser using the Adobe Reader plugin.

Mitigation

Primary action — update immediately:

Update Adobe Acrobat Reader to version 26.001.21411 or later. Adobe Reader updates through Help → Check for Updates or via enterprise deployment channels.

For enterprise environments using Ivanti Patch for Windows or similar patch management platforms: new content covering APSB26-43 was available as of April 11, 2026 and should be deployed immediately.

Additional hardening:

• Disable JavaScript execution in Adobe Reader if PDFs from external sources are a concern: Edit → Preferences → JavaScript → uncheck “Enable Acrobat JavaScript”
• Consider switching to an alternative PDF viewer (e.g., browser-native PDF rendering, Sumatra PDF on Windows) for untrusted documents
• Configure email gateways to sandbox PDF attachments before delivery
• Block or alert on PDFs with embedded JavaScript at the perimeter where possible
• Review EDR/AV telemetry for suspicious child processes spawned by AcroRd32.exe or Acrobat.exe dating back to December 2025

Links

• Adobe Security Bulletin APSB26-43
• Adobe Acrobat Release Notes (26.001.21411)
• Haifei Li / EXPMON original disclosure