CVE-2026-34621
Prototype Pollution in Adobe Acrobat Reader Enables Code Execution
Publication date: 2026-04-11
Last updated on: 2026-04-13
Assigner: Adobe Systems Incorporated
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| adobe | acrobat_dc | to 26.001.21411 (exc) |
| adobe | acrobat_reader_dc | to 26.001.21411 (exc) |
| adobe | acrobat | From 24.0.0 (inc) to 24.001.30362 (exc) |
| adobe | acrobat | From 24.0.0 (inc) to 24.001.30360 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1321 | The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier. It is an Improperly Controlled Modification of Object Prototype Attributes, also known as 'Prototype Pollution'. This flaw could allow an attacker to execute arbitrary code within the context of the current user.
To exploit this vulnerability, an attacker must trick a victim into opening a malicious file.
How can this vulnerability impact me? :
If exploited, this vulnerability can lead to arbitrary code execution with the privileges of the current user. This means an attacker could potentially run malicious code, steal data, or perform unauthorized actions on the affected system.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that Acrobat Reader is updated to a version later than 24.001.30356 or 26.001.21367, as these versions are affected.
Additionally, since exploitation requires user interaction by opening a malicious file, educate users to avoid opening suspicious or untrusted files.