ThreatLevelBeta
Planned Fix

CVE-2026-34621

Prototype pollution RCE in Acrobat Reader (malicious PDF)
Loading...

Summary

Adobe Acrobat DC, Acrobat Reader DC, and Acrobat 2024 on Windows and macOS contain a prototype pollution flaw in PDF object prototype handling. A crafted PDF can trigger arbitrary code execution when a victim opens the file in Acrobat or Reader, with code running as the current user. Adobe says the issue is being exploited in the wild.

Why Planned Fix?

4/6
No authentication required
Internal deployment
User interaction needed
Exploitable in default configuration
Active exploitation in the wild
High impact vulnerability

Exploitation Details

Type
RCE (Remote Code Execution)
Is exploitable with default configuration?
Yes
Is authentication needed?
No
PoC / Exploit
No
Impact

Execute arbitrary code as the current user

RCE (Remote Code Execution)
Exploitation Requirements

None — vulnerable in default configuration

Exploitation Process

An attacker crafts a malicious PDF that corrupts object prototype attributes during document parsing. The file is delivered to the target and opened in Acrobat or Reader. When the application processes the document, the polluted prototype state is abused to execute attacker-controlled code in the victim's user context.

Detection Resources
Manual Detection
0
Script Detection
0
Scanner Detection
Tenable Nessus
1

Affected Software

Vendor:Adobe
ProductAffected Versions
Acrobat DC26.001.21367 and earlier
Acrobat Reader DC26.001.21367 and earlier
Acrobat 2024Windows: 24.001.30356 and earlier; macOS: 24.001.30360 and earlier
Description

Adobe Acrobat and Reader are desktop applications for viewing, creating, editing, annotating, and signing PDF documents.

Deployment:Typically internal
|
Protocol:File
|
Ports:
Affected ComponentPDF document parsing and rendering when opening malicious files.

PDF document parsing and rendering when opening malicious files.

Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Big
Remediation
Workaround

Not available

Patch

Not available

Update
Update Acrobat DC and Acrobat Reader DC to 26.001.21411 or later, and Acrobat 2024 to 24.001.30362 (Windows) or 24.001.30360 (macOS) or later.

Update Acrobat DC and Acrobat Reader DC to 26.001.21411 or later, and Acrobat 2024 to 24.001.30362 (Windows) or 24.001.30360 (macOS) or later.

helpx.adobe.com
Threat Intelligence
EPSS Score0.2%

Probability of exploitation in the next 30 days

EPSS Percentile46%

Worse than 46% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Not Listed
Active Exploitation
Active
helpx.adobe.com
Threat Actors

No known threat actors

Detection Rules1
KQL
DeviceProcessEvents | where InitiatingProcessFileName in~ ('Acrobat.exe','AcroRd32.exe') and FileName in~ ('cmd.exe','powershell.exe','pwsh.exe','wscript.exe','cscript.exe','mshta.exe','rundll32.exe')

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVSS Base Score

9.6
Critical

CVSS Vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-1321 Prototype Pollution
|
NVD:CVE-2026-34621
|
Version From:
|
Version Upto:

Sources

2
SourceArticle
helpx.adobe.comAdobe Security Bulletin APSB26-43
www.tenable.comCVE-2026-34621

Priority History

Planned FixLoading...

Initial analysis