CVE-2026-34621: Adobe Acrobat Prototype Pollution

Simply opening a malicious PDF is enough — embedded JavaScript exploits prototype pollution in Adobe Acrobat Reader to achieve arbitrary code execution, with in-the-wild exploitation confirmed since December 2025 and a CISA KEV deadline of April 27, 2026.

Overview

Adobe issued an emergency out-of-band patch for CVE-2026-34621 on 13 April 2026 — a critical prototype pollution vulnerability in the JavaScript engine embedded in Adobe Acrobat Reader and Acrobat DC. The flaw allows arbitrary code execution with no user interaction beyond opening a document. Evidence of exploitation dates back to December 2025, meaning the vulnerability was weaponised for months before disclosure.

CISA added it to the Known Exploited Vulnerabilities catalog the same day, with a federal remediation deadline of 27 April 2026.

What is Prototype Pollution?

Prototype pollution is a JavaScript vulnerability class that arises when an attacker can modify the Object.prototype — the base object from which all JavaScript objects inherit. Because JavaScript resolves property lookups by walking the prototype chain, injecting or overwriting properties on Object.prototype affects every object in the application that doesn't define those properties itself.

In a standard browser context, prototype pollution typically leads to logic bypasses or DOM manipulation. In a PDF reader with a privileged JavaScript engine that can call native system APIs, it is a direct path to arbitrary code execution.

The classic pollution pattern looks like:

// Attacker-controlled object merge — typical entry point
function merge(target, source) {
    for (let key in source) {
        if (typeof source[key] === 'object') {
            merge(target[key], source[key]);
        } else {
            target[key] = source[key];  // No check for __proto__
        }
    }
}
merge({}, JSON.parse('{"__proto__":{"polluted":true}}'));
console.log({}.polluted);  // true — base prototype modified

How CVE-2026-34621 Works

Adobe Acrobat embeds a privileged JavaScript engine that can interact with the document model, form fields, and — in certain configurations — system-level file and network APIs. The vulnerability exists in the engine's object merge/assign routines, which fail to sanitise __proto__ and constructor.prototype property keys in attacker-supplied objects parsed from embedded PDF form data and JavaScript annotations.

A malicious PDF exploits this as follows:

The PDF embeds obfuscated JavaScript in a document-level script or annotation action that executes automatically on open.
The script constructs a malicious nested object and passes it through a vulnerable merge path, polluting Object.prototype with attacker-controlled properties.
Downstream code in the Acrobat engine reads from these now-poisoned properties — causing type confusion, memory corruption, or direct invocation of native API wrappers, depending on the payload design.
The payload executes in the context of the Acrobat process, with the privileges of the logged-in user.

Because document-level JavaScript runs automatically when the PDF is opened — with no prompt in default configurations — the user interaction requirement is zero. Open the file, get compromised.

Observed Exploitation

Telemetry from multiple vendors places the earliest exploitation at December 2025. The attack pattern observed in the wild involved spear-phishing emails with PDF attachments tailored to financial and legal sector targets. The payload delivered in confirmed incidents was an infostealer focused on browser credentials, VPN configuration files, and document stores — consistent with initial access broker activity selling network footholds.

The multi-month window between first exploitation and patch availability is significant. Organisations relying on AV signatures or sandboxing for PDF-borne threats would have had no detection capability against a novel zero-day during this period.

Affected Versions

Adobe Acrobat Reader DC (Continuous and Classic 2020 tracks) — all versions prior to the April 2026 emergency update
Adobe Acrobat DC (all tracks) — same range
Both Windows and macOS platforms affected

Remediation

Update Adobe Acrobat Reader and Acrobat DC immediately via Help → Check for Updates or Adobe's download portal. The emergency patch (APSB26-43) is the only definitive fix.
As a temporary measure, disable JavaScript in Adobe Acrobat: Edit → Preferences → JavaScript → uncheck "Enable Acrobat JavaScript". This blocks the exploitation vector entirely at the cost of some PDF functionality.
Consider opening PDFs in a sandboxed viewer (e.g. browser-embedded PDF viewer, Sumatra PDF) as an alternative to full Acrobat for untrusted documents.
Review email gateway controls for inbound PDF attachments — anti-malware sandboxes with JavaScript execution capability will detect current known samples, though not the original zero-day payloads.

Detection Guidance

Child processes of AcroRd32.exe or Acrobat.exe — any process spawned by the reader that is not a known Acrobat subprocess is a strong indicator of compromise.
Network connections from Acrobat to external IPs outside of Adobe's update infrastructure.
File writes from Acrobat to user profile directories, particularly in AppData\Roaming or temp directories, containing executables or scripts.
Retrospective hunt: review email logs for PDF attachments received from external senders between December 2025 and April 2026 on hosts that had unpatched Acrobat installed.

Takeaways

PDF-borne JavaScript exploits are not new, but this vulnerability is a reminder that the attack surface of document readers with embedded scripting engines is substantial and persistently targeted. Prototype pollution as a class has historically been treated as a web application issue — CVE-2026-34621 demonstrates it is just as relevant in any JavaScript runtime with access to privileged APIs.

For red teams, weaponised PDF delivery with zero-interaction execution is one of the highest-value phishing primitives available. The combination of trusted file format, automatic script execution, and months-long undetected exploitation makes this an archetypal initial access vector. Patch status checks for Acrobat should be a standard item in any external attack surface review.