CVE-2026-34621

Name of the Vulnerable Software and Affected Versions Acrobat DC versions prior to 26.001.21411 Acrobat Reader DC versions prior to 26.001.21411 Acrobat 2024 (affected versions not specified)

Description An Improperly Controlled Modification of Object Prototype Attributes, also known as Prototype Pollution, exists in the JavaScript engine of Adobe Acrobat and Reader. This issue occurs due to insecure handling of object properties in privileged APIs, allowing an attacker to pollute the base Object.prototype and redirect the execution flow of the process. This can lead to arbitrary code execution with the privileges of the current user, potentially resulting in full system takeover, credential harvesting, and lateral movement within a network.

Approximately 600 million active installations worldwide are potentially affected. The issue has been actively exploited by APT groups since December 2025, often using Russian-language lures targeting the oil and gas industry.

Technical details include:

Exploitation requires the victim to open a maliciously crafted PDF file, which can be triggered via email, web downloads, or preview panes in applications like Outlook or macOS Finder.

Recommendations Update Acrobat DC and Acrobat Reader DC to versions 26.001.21411 or later. As a temporary workaround, navigate to Preferences > JavaScript and uncheck Enable Acrobat JavaScript to disable the primary attack vector.