CVE-2026-34621: Adobe Acrobat Reader Prototype Pollution RCE
A critical prototype pollution vulnerability has been disclosed in Adobe Acrobat Reader, tracked as CVE-2026-34621 with a CVSS v3.1 score of 9.6 (Critical). The flaw allows an attacker to achieve arbitrary code execution in the context of the current user by delivering a specially crafted PDF file. User interaction is required — the victim must open the malicious document.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-34621 |
| CVSS Score | 9.6 (Critical) |
| CWE Classification | CWE-1321 — Improperly Controlled Modification of Object Prototype Attributes |
| Affected Software | Adobe Acrobat Reader |
| Affected Versions | 24.001.30356 and earlier; 26.001.21367 and earlier |
| Attack Vector | Local (requires user to open malicious PDF) |
| User Interaction | Required |
| Privileges Required | None |
| Published | April 11, 2026 |
Technical Analysis
What Is Prototype Pollution?
Prototype pollution is a class of vulnerability that occurs when an attacker can inject properties into a JavaScript (or, in this case, a scripting engine embedded in a PDF renderer) object's prototype — the shared template used by all instances of that object type. Because JavaScript prototype inheritance means all objects inherit from Object.prototype, successfully polluting it can alter the behavior of every object in the running application.
In the context of Adobe Acrobat Reader, the PDF format supports JavaScript execution for form automation, digital signatures, and interactive content. Acrobat embeds a JavaScript engine (historically based on SpiderMonkey/V8 lineage) to process these scripts when a PDF is opened.
Exploitation Chain
1. Attacker crafts a PDF containing malicious embedded JavaScript
2. The JavaScript payload targets a vulnerability in the PDF engine's
handling of object property assignment — specifically a path that
permits modification of __proto__ or Object.prototype attributes
without proper access controls
3. When the victim opens the PDF, Acrobat's JS engine processes the
script and the prototype of a core object is polluted with
attacker-controlled properties
4. Subsequent operations that rely on prototype-inherited values
now execute attacker-supplied logic
5. The attacker achieves arbitrary code execution within the security
context of the current Acrobat Reader processWhy CVSS 9.6?
The near-perfect CVSS score reflects several factors:
- Confidentiality impact: High — full read access to user files and environment variables
- Integrity impact: High — attacker can write/modify data on the victim's system
- Availability impact: High — process crash or persistent malware installation possible
- No privileges required — any user who opens a PDF is vulnerable
- Scope: Changed — the exploit can affect resources beyond the Acrobat process sandbox
The slight deduction from 10.0 relates to the user interaction requirement — the victim must open the crafted file.
Affected Versions
| Track | Affected Version | Patch Target |
|---|---|---|
| Acrobat Reader (Classic) | 24.001.30356 and earlier | Update to 24.001.30360+ |
| Acrobat Reader (Continuous) | 26.001.21367 and earlier | Update to 26.001.21375+ |
Both the 24.x Classic and 26.x Continuous tracks are affected. Users on older unsupported versions should treat themselves as vulnerable.
Remediation
Immediate: Update Adobe Acrobat Reader
Adobe has released patched versions. Apply updates immediately via the built-in updater:
- Open Adobe Acrobat Reader
- Go to Help > Check for Updates
- Install all available updates and restart
Or use the Adobe Acrobat Reader installer to deploy the latest version:
# Check current version (Windows)
reg query "HKLM\SOFTWARE\Adobe\Acrobat Reader\DC\Installer" /v ProductVersion
# Force update via Adobe Update Manager (Windows)
"C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"Enterprise Deployment
For organizations managing Adobe Reader via endpoint management tools:
# SCCM / Intune — query installed Reader versions
Get-WmiObject -Query "SELECT Name, Version FROM Win32_Product WHERE Name LIKE '%Acrobat Reader%'"
# Deploy patch silently
msiexec /i AcroRdr_26.001.21375.msi /qn REBOOT=ReallySuppressInterim Mitigations
If patching is not immediately possible:
- Disable JavaScript in Acrobat Reader: Edit > Preferences > JavaScript > uncheck "Enable Acrobat JavaScript"
- Apply Protected Mode (Sandboxing): Edit > Preferences > Security (Enhanced) > Enable "Protected Mode at startup"
- Block PDF auto-open in email clients — require users to save PDFs locally before opening
- Deploy application allowlisting to prevent unexpected child processes spawned by Acrobat
Detection
Indicators of Compromise
Monitor for suspicious activity associated with Acrobat Reader exploitation:
# Windows: Watch for Acrobat Reader spawning unusual child processes
# Using Sysmon (Event ID 1 - Process Create)
# Parent: AcroRd32.exe or Acrobat.exe
# Child: cmd.exe, powershell.exe, wscript.exe, mshta.exe
# Look for Acrobat Reader network connections outside expected Adobe CDN ranges
# Expected: *.adobe.com, *.adobedc.net, *.adobeid.com
# Check for recently created files in temp paths after PDF open events
Get-ChildItem $env:TEMP -Recurse | Where-Object { $_.CreationTime -gt (Get-Date).AddHours(-1) }SIEM Detection Query (KQL / Splunk)
// Detect Acrobat spawning suspicious processes (Sentinel / KQL)
DeviceProcessEvents
| where InitiatingProcessFileName in~ ("AcroRd32.exe", "Acrobat.exe")
| where FileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLineImpact Assessment
| Impact Category | Description |
|---|---|
| Code Execution | Arbitrary commands run as the current user |
| Data Theft | Attacker can exfiltrate sensitive documents, credentials, tokens |
| Persistence | Malware can be installed or scheduled tasks created |
| Lateral Movement | Compromised user context enables network pivoting |
| Targeted Attacks | Spear-phishing with crafted PDFs is a well-established attack vector |
Attackers commonly deliver PDF exploits via:
- Email phishing with malicious PDF attachments
- Drive-by download — PDFs served from malicious or compromised websites
- Watering hole attacks — PDF files planted on frequently visited industry portals
Key Takeaways
- CVE-2026-34621 is a CVSS 9.6 Critical prototype pollution flaw in Adobe Acrobat Reader (≤ 24.001.30356 / ≤ 26.001.21367) enabling arbitrary RCE
- Exploitation requires user interaction — the victim must open a specially crafted PDF
- The prototype pollution mechanism allows attacker code to run within Acrobat's embedded JavaScript engine
- Update immediately via Help > Check for Updates or enterprise deployment tools
- As an interim measure, disable JavaScript in Acrobat preferences and enable Protected Mode sandbox
- Monitor for Acrobat spawning unexpected child processes as an indicator of exploitation