CVE-2026-34621

Name of the Vulnerable Software and Affected Versions Acrobat DC and Acrobat Reader DC versions prior to 26.001.21411 Acrobat 2024 (affected versions not specified)

Description An Improperly Controlled Modification of Object Prototype Attributes, also known as Prototype Pollution, exists in the JavaScript engine of Adobe Acrobat and Reader. This issue occurs due to insecure handling of object properties in privileged APIs, allowing an attacker to pollute the base Object.prototype and redirect the execution flow of the process. This can lead to arbitrary code execution with the privileges of the current user and potentially result in full system takeover.

Technical details indicate the flaw is present in the util.readFileIntoStream() function, which can be used to read arbitrary files accessible by the process, such as credentials and SSH keys. Additionally, the RSS.addFeed() function has been repurposed as a bidirectional command and control channel to retrieve malicious JavaScript payloads and exfiltrate gathered information to remote servers. Exploitation requires the victim to open a specially crafted PDF file, which can be triggered via email, web downloads, or preview panes in applications like Outlook or macOS Finder.

Approximately 600 million active installations worldwide were potentially affected. The issue has been actively exploited by APT groups since December 2025 for espionage and fingerprinting attacks.

Recommendations Update Acrobat DC and Acrobat Reader DC to versions 26.001.21411 or later. As a temporary workaround, navigate to Preferences > JavaScript and uncheck Enable Acrobat JavaScript to disable the primary attack vector.