CVE-2026-34621: Adobe Acrobat Reader Prototype Pollution Zero-Day Enables Code Execution via Malicious PDFs

Summary

CVE-2026-34621 is a critical prototype pollution vulnerability in Adobe Acrobat Reader that has been actively exploited in the wild since November 2025. The flaw allows arbitrary code execution when users open specially crafted PDF files containing malicious JavaScript. Adobe released an emergency patch (APSB26-43, Priority 1) on April 11, 2026, after the vulnerability was discovered by researcher Haifei Li through the EXPMON sandbox platform on March 26, 2026.

Full text

Zero-Day · Actively Exploited Since November 2025 CVE-2026-34621: Adobe Acrobat Reader Prototype Pollution Zero-Day Enables Code Execution via Malicious PDFs Adobe ships an emergency patch for a critical prototype pollution flaw in Acrobat Reader that has been exploited in the wild since late 2025, discovered through the EXPMON sandbox detection platform. Dark Web Informer April 13, 2026 6 min read CVECVE-2026-34621 ProductAdobe Acrobat Reader (Windows, macOS) Bug ClassPrototype Pollution, CWE-1321 CVSS 3.18.6 / High (revised from 9.6) VectorAV:L / AC:L / PR:N / UI:R / S:C / C:H / I:H / A:H ExploitationConfirmed in the wild since Nov 2025 ImpactArbitrary code execution via malicious PDF BulletinAPSB26-43 (Priority 1) ReporterHaifei Li (EXPMON) NVD Entrynvd.nist.gov/vuln/detail/CVE-2026-34621 Adobe has released an emergency security update for Acrobat Reader, patching CVE-2026-34621, a critical prototype pollution vulnerability that has been actively exploited in the wild since at least November 2025. The flaw enables arbitrary code execution when a user opens a specially crafted PDF file. Adobe published the fix under bulletin APSB26-43 on April 11, 2026, with Priority 1, its highest urgency rating. The vulnerability was discovered by security researcher Haifei Li through EXPMON, a publicly available sandbox-based platform designed to detect advanced file-based exploits. A suspicious PDF submitted to the platform on March 26 was flagged by its automated detection engine despite having low antivirus detection rates on VirusTotal (13 out of 64 engines). How prototype pollution works in Acrobat Prototype pollution is a JavaScript vulnerability class where an attacker can add or modify properties on the base Object.prototype. Because nearly all JavaScript objects inherit from this prototype, injected properties propagate throughout the application. When legitimate code later accesses a property that does not exist on a specific object, JavaScript's prototype chain lookup hits the attacker-controlled value instead. In the context of Adobe Acrobat Reader, the exploit works by embedding malicious JavaScript inside a crafted PDF. When a victim opens the file, the prototype pollution flaw allows the attacker to manipulate internal object structures within the Acrobat JavaScript engine. This can escalate to calling privileged Acrobat APIs that are normally restricted. According to the analysis by EXPMON, the observed exploit used the util.readFileIntoStream() API to read arbitrary files from the local system that the Reader process (running in a sandbox) could access. The malicious PDFs were designed to fingerprint the target system and exfiltrate information back to the attacker, suggesting this was part of a targeted reconnaissance campaign rather than a broad spray-and-pray operation. Five months of exploitation before detection. The exploit has been active in the wild since at least November 2025, but was not identified until March 26, 2026 when a sample was submitted to EXPMON. The long dwell time highlights the gap between traditional antivirus detection and sandbox-based exploit analysis. At the time of discovery, only 13 of 64 VirusTotal engines flagged the malicious PDF. Discovery timeline Nov 2025 Earliest known in-the-wild exploitation of CVE-2026-34621 begins. Mar 26 Suspicious PDF submitted to EXPMON. Flagged by advanced detection despite low AV coverage (13/64 on VirusTotal). Apr 11 Adobe publishes emergency bulletin APSB26-43, confirms active exploitation, and releases patched versions. Apr 12 CVSS score revised from 9.6 (network vector) to 8.6 (local vector, requires user interaction). Apr 13 Adobe credits Haifei Li of EXPMON for discovery and coordinated disclosure. Affected versions and patches The vulnerability affects multiple Acrobat and Reader product lines across both Windows and macOS. Adobe has released patched versions under bulletin APSB26-43: Product Fixed Version Acrobat DC / Acrobat Reader DC (Win/Mac) 26.001.21411 Acrobat 2024 (Windows) 24.001.30362 Acrobat 2024 (macOS) 24.001.30360 Versions 26.001.21367 and 24.001.30356 and earlier are confirmed vulnerable. What to do Update Acrobat Reader immediately. Open Acrobat Reader, go to Help, then Check for Updates. Adobe has assigned this patch Priority 1, meaning it should be installed within 72 hours. Warn users about untrusted PDFs. Because exploitation requires opening a malicious file, instruct users not to open PDF attachments from unknown or suspicious sources. This is especially relevant for organizations targeted by spear-phishing. Disable JavaScript in PDFs where possible. Acrobat Reader allows administrators to disable JavaScript execution in PDFs via preferences or group policy. This removes the primary attack surface for this vulnerability class. Block the known indicator. Security teams should monitor and block all HTTP/HTTPS traffic containing "Adobe Synchronizer" in the User Agent field, which was associated with the observed exploitation activity. Hunt for historical compromise. Given the exploitation window stretches back to November 2025, organizations should review endpoint telemetry for suspicious PDF-related activity over the past five months, particularly unexpected calls to util.readFileIntoStream() or unusual outbound connections from Acrobat processes. Bigger picture Prototype pollution has traditionally been seen as a web application vulnerability, most commonly exploited in Node.js and browser JavaScript contexts. Its appearance in a desktop PDF reader demonstrates that the attack class extends to any application with a sufficiently complex JavaScript engine. Acrobat Reader's embedded JavaScript runtime, used for forms, annotations, and document automation, provides enough surface area for attackers to chain prototype pollution into full code execution. The five-month gap between the start of exploitation and discovery is a stark reminder of the limitations of signature-based detection. The malicious PDFs evaded the majority of antivirus engines and were only caught by a purpose-built sandbox platform. Organizations that rely solely on traditional endpoint protection may have been exposed for the entire window without knowing it. Adobe Acrobat Reader remains one of the most widely deployed desktop applications in the world, installed on hundreds of millions of systems across enterprise and consumer environments. Any code execution vulnerability that can be triggered by simply opening a PDF makes it a high-value target for both nation-state actors running espionage campaigns and financially motivated attackers delivering malware through phishing. Sources: Help Net Security · Security Affairs · The Cyber Express · Vulert · Born City · NIST NVD

Indicators of Compromise

• cve — CVE-2026-34621

Entities