Adobe issued an emergency security update for Adobe Acrobat and Reader on April 11, 2026, patching a critical zero-day vulnerability, CVE-2026-34621, that threat actors have been actively exploiting in the wild, potentially since December 2025.
The flaw, classified under CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes), enables arbitrary code execution and was assigned a Priority-1 rating, Adobe’s most urgent patch classification under security bulletin APSB26-43.
Adobe Patches Critical Acrobat Zero-Day
Prototype pollution is a JavaScript-specific security vulnerability that allows an attacker to tamper with an application’s core object properties and prototypes.
In Adobe Acrobat Reader, the vulnerability resides in the product’s JavaScript engine, which processes embedded scripts in PDF documents.
When exploited, an attacker can manipulate the internal object model, injecting malicious properties that propagate across all object instances and fundamentally alter runtime behavior.
Exploitation involves crafting a malicious PDF that silently triggers corrupted JavaScript execution upon opening, without the victim needing to perform any action beyond opening the document.
Once the prototype chain is poisoned, the attacker can execute arbitrary code with the current logged-in user’s privileges, potentially enabling full system compromise if the user has administrative privileges.
Adobe’s advisory explicitly confirms that CVE-2026-34621 was being exploited in the wild at the time of the patch release. Evidence gathered by security researchers suggests that threat actors have been exploiting this zero-day since at least December 2025, giving attackers a multi-month window before the patch became available.
The exploitation mechanism relies on specially crafted PDF files delivered through phishing emails, malicious download links, or compromised document-sharing platforms, all attack vectors that are trivially scalable across enterprise environments.
The flaw’s impact extends beyond information leakage, confirming that exploitation leads to full remote code execution, a finding consistent with EXPMON’s original disclosure to Adobe.
A researcher publicly urged all Adobe Reader users to “UPDATE NOW” following Adobe’s emergency patch release, underscoring the severity of active exploitation.
CVSS Score Revision and Technical Details
Adobe originally published CVE-2026-34621 with a CVSS base score of 9.6 (Critical) and a Network attack vector (AV: N). However, on April 12, 2026, Adobe revised the CVSS Attack Vector from Network (AV: N) to Local (AV: L), lowering the overall score to 8.6.
This change reflects that exploitation requires a user to open a malicious file locally rather than allowing purely remote, unauthenticated attack delivery across a network.
| Attribute | Detail |
|---|---|
| CVE ID | CVE-2026-34621 |
| CWE | CWE-1321 (Prototype Pollution) |
| CVSS Score | 8.6 (revised from 9.6) |
| CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |
| Impact | Arbitrary Code Execution |
| Severity | Critical |
| Exploit in Wild | Yes |
The CVSS vector highlights several key risk dimensions: Low Attack Complexity (AC:L) means exploitation is straightforward with no special conditions; No Privileges Required (PR: N) means an unauthenticated attacker can weaponize the flaw; and Changed Scope (S: C) indicates the exploit can impact resources beyond the vulnerable component itself, including confidentiality, integrity, and availability at High levels.
Affected Versions
The following Adobe Acrobat and Reader versions across Windows and macOS are confirmed vulnerable:
- Acrobat DC (Continuous Track): Version 26.001.21367 and earlier
- Acrobat Reader DC (Continuous Track): Version 26.001.21367 and earlier
- Acrobat 2024 (Classic 2024 Track): Version 24.001.30356 and earlier
Both Windows and macOS platforms are impacted, making this a cross-platform critical vulnerability requiring immediate action across all user segments, including individual consumers, enterprise deployments, and managed IT environments.
Patched Versions and Remediation
Adobe has released the following fixed versions that fully address CVE-2026-34621:
- Acrobat DC / Acrobat Reader DC: Update to 26.001.21411 (Windows & macOS)
- Acrobat 2024: Update to 24.001.30362 (Windows) | 24.001.30360 (macOS)
Users should update immediately using one of the following methods:
- Manual update: Open Adobe Acrobat or Reader → Help → Check for Updates
- Automatic update: Adobe products auto-update when connected to the internet, with no user action required
- Full installer: Download directly from the Adobe Acrobat Reader Download Center
- IT administrators (managed environments): Deploy via AIP-GPO, bootstrapper, SCUP/SCCM on Windows, or Apple Remote Desktop / SSH on macOS
Given that this vulnerability is actively exploited in the wild and has been weaponized through malicious PDF documents, organizations operating in high-risk industries, such as finance, healthcare, legal, and government, should treat this patch as a P1 emergency deployment and prioritize rollout within 24–48 hours of the patch release.
Security teams should also review endpoint detection logs for suspicious PDF-triggered process spawning activity dating back to December 2025 as a proactive threat hunting measure, given the extended exploitation window.
FAQ
Q1: What is CVE-2026-34621?
CVE-2026-34621 is a critical prototype pollution vulnerability (CWE-1321) in Adobe Acrobat and Reader that enables arbitrary code execution when a victim opens a specially crafted malicious PDF file.
Q2: Is CVE-2026-34621 being actively exploited?
Yes, Adobe has confirmed active in-the-wild exploitation of CVE-2026-34621, with evidence suggesting threat actors have been leveraging it since at least December 2025.
Q3: Which Adobe Acrobat versions are affected by APSB26-43?
Acrobat DC and Reader DC versions 26.001.21367 and earlier, and Acrobat 2024 version 24.001.30356 and earlier on both Windows and macOS, are affected.
Q4: How do I fix the CVE-2026-34621 vulnerability in Adobe Reader?
Update Adobe Acrobat DC or Reader DC to version 26.001.21411, or Acrobat 2024 to 24.001.30362 (Windows) / 24.001.30360 (macOS), via Help > Check for Updates or the Adobe Download Center.
Site: thecybrdef.com
About the Author
