PT-2026-32093 · Adobe · Acrobat Reader

Michele Spagnuolo

·

Published

2026-04-08

·

Updated

2026-06-16

·

CVE-2026-34621

CVSS v2.0

10

High

VectorAV:N/AC:L/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions Acrobat DC versions prior to 26.001.21411 Acrobat Reader DC versions prior to 26.001.21411 Acrobat 2024 (affected versions not specified)
Description An Improperly Controlled Modification of Object Prototype Attributes, also known as Prototype Pollution, exists in the JavaScript engine of Adobe Acrobat and Reader. This issue occurs due to insecure handling of object properties in privileged APIs, allowing an attacker to pollute the base Object.prototype and redirect the execution flow of the process. This can lead to arbitrary code execution in the context of the current user and potentially result in full system takeover. The flaw is specifically linked to the util.readFileIntoStream() function, which can be used to read arbitrary files, and the RSS.addFeed() function, which has been repurposed as a bidirectional command and control channel to exfiltrate data and receive additional payloads. Exploitation requires the victim to open a maliciously crafted PDF file, which can be triggered via email, web downloads, or preview panes in applications like Outlook or macOS Finder. Approximately 600 million active installations worldwide were potentially affected. The issue has been actively exploited by APT groups since December 2025 for espionage and fingerprinting attacks.
Recommendations Update Acrobat DC and Acrobat Reader DC to versions 26.001.21411 or later. As a temporary workaround, navigate to Preferences > JavaScript and uncheck Enable Acrobat JavaScript to disable the primary attack vector.

Fix

RCE

Buffer Overflow

Prototype Pollution

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-04929
CVE-2026-34621

Affected Products

Acrobat Reader