Adobe Acrobat and Reader Prototype Pollution RCE (CVE-2026-34621)

Severity Assessment

• Exploitability: 7/10 — Requires user to open a malicious PDF; delivered via email attachments, web downloads, or document sharing
• Impact: 8/10 — Arbitrary code execution in the context of the logged-in user; sandbox escape may enable full system compromise
• Weaponization Risk: 8/10 — CVSS 3.1 score 8.6 (HIGH); added to CISA KEV with active exploitation confirmed; PDF is a widely used document format
• Patch Urgency: 10/10 — CISA requires federal agency remediation by 27 April 2026; active exploitation in the wild
• Detection Coverage: 6/10 — Antivirus engines detect known exploit samples; behavioral detection of prototype pollution in PDF JavaScript is more challenging

Executive Summary

CVE-2026-34621 is a remote code execution vulnerability in Adobe Acrobat and Reader caused by a prototype pollution flaw (CWE-1321) in the JavaScript engine embedded within the PDF processing components. An attacker can craft a malicious PDF document that, when opened by a victim using a vulnerable version of Adobe Acrobat or Reader, exploits the prototype pollution vulnerability to achieve arbitrary code execution.

Prototype pollution is a class of vulnerability specific to JavaScript engines where an attacker can modify the prototype of base objects (such as Object.prototype), causing unexpected property values to propagate to all objects inheriting from the polluted prototype. In the context of Adobe’s PDF JavaScript engine, this can be leveraged to corrupt internal state and redirect code execution.

The vulnerability has a CVSS 3.1 base score of 8.6 (HIGH) with a local attack vector (requiring user interaction to open the PDF), low attack complexity, no privileges required, and a changed scope (indicating the vulnerability can affect resources beyond the vulnerable component). Adobe published security bulletin APSB26-43 with patches for all affected versions.

CISA added CVE-2026-34621 to the Known Exploited Vulnerabilities catalog on 13 April 2026, confirming active exploitation in the wild and establishing a federal remediation deadline of 27 April 2026.

Exploit Chain

Stage 1: PDF Document Delivery

The attacker delivers a crafted PDF file to the target via email attachment, web download, or file-sharing platform. The document may appear as a legitimate business document, invoice, report, or form to encourage the target to open it.

Stage 2: JavaScript Execution in PDF

When the victim opens the PDF in Adobe Acrobat or Reader, embedded JavaScript executes automatically. The malicious JavaScript code targets the prototype pollution vulnerability in the PDF JavaScript engine by assigning crafted values to properties on Object.prototype or other base object prototypes.

Stage 3: Prototype Pollution

The injected prototype properties propagate to internal Adobe Acrobat/Reader objects that inherit from the polluted prototypes. This allows the attacker to control values that the application reads from object properties during normal processing, including values used in security-critical control flow decisions.

Stage 4: Code Execution

By controlling prototype-inherited properties, the attacker redirects execution flow to attacker-controlled code. The resulting code execution occurs within the Adobe Acrobat/Reader process, initially constrained by the application’s sandbox. The CVSS scope change indicator suggests the exploitation may achieve sandbox escape.

Stage 5: Post-Exploitation

After achieving code execution, the attacker can download and execute additional payloads, establish persistent access, harvest credentials, or conduct further operations. The exploitation occurs transparently while the user views what appears to be a normal PDF document.

Detection Guidance

File-based detection:

• Antivirus and anti-malware engines should scan PDF attachments for malicious JavaScript containing prototype pollution patterns (assignments to __proto__, constructor.prototype, or Object.prototype)
• PDF-specific analysis tools can identify JavaScript streams with obfuscated code or unusually large JavaScript objects
• YARA rules targeting common prototype pollution gadget patterns in PDF JavaScript streams

Host-based detection:

• Monitor Adobe Acrobat/Reader processes for spawning unexpected child processes (cmd.exe, powershell.exe, mshta.exe)
• Enable Adobe Acrobat Protected Mode (sandboxing), which limits the impact of exploitation
• Application control policies should prevent executables from being created or run from Acrobat/Reader temporary directories
• EDR solutions should monitor for suspicious behavior chains: PDF open followed by child process creation followed by network connection

Network-based detection:

• Email gateway scanning should analyze PDF attachments for malicious JavaScript content before delivery
• Network sandboxing appliances should detonate PDF files in instrumented environments
• Monitor for outbound connections from Acrobat/Reader processes to external addresses not associated with Adobe update services

Indicators of Compromise

Network indicators:

• Email delivery of PDF attachments from unknown or spoofed senders, particularly with urgency-themed subject lines
• Outbound connections from AcroRd32.exe or Acrobat.exe to non-Adobe external IP addresses or domains
• Download of secondary payloads following PDF opening

Host indicators:

• Adobe Acrobat or Reader processes spawning cmd.exe, powershell.exe, or other unexpected executables
• Executable files created in Adobe temporary directories or user temp folders by the Reader/Acrobat process
• JavaScript errors or crashes in Adobe Acrobat/Reader (may indicate failed exploitation attempts)
• Registry modifications for persistence created by processes spawned from Acrobat/Reader

Log indicators:

• Windows Event Log: process creation (Event ID 4688) with Acrobat.exe or AcroRd32.exe as parent process
• Email gateway logs: PDF attachment delivery from external or suspicious sources
• Adobe Acrobat/Reader crash reports in Windows Application Event Log (may indicate exploitation attempts)

Disclosure Timeline

2026-04-13 — Adobe Security Bulletin Published

Adobe published security bulletin APSB26-43 addressing CVE-2026-34621 and providing patched versions of Acrobat and Reader.

2026-04-13 — CISA KEV Entry Added

CISA added CVE-2026-34621 to the Known Exploited Vulnerabilities catalog with a required federal remediation date of 27 April 2026.

2026-04-13 — NVD Entry Published

NIST published the CVE-2026-34621 entry in the National Vulnerability Database with a CVSS 3.1 base score of 8.6 (HIGH).

Sources & References

• CISA: Known Exploited Vulnerabilities Catalog — CISA, 2026-04-13
• NIST NVD: CVE-2026-34621 — NIST NVD, 2026-04-13
• Adobe: Security Bulletin APSB26-43 — Adobe, 2026-04-13