Adobe broke from its regular schedule to close a hole in Acrobat and Acrobat Reader that was already being used against real users. Tracked as CVE-2026-34621, it’s a prototype pollution flaw in the JavaScript engine baked into the PDF reader. Opening a crafted document is enough for an attacker to run code with the permissions of whoever opened the file.
What the vulnerability is
Prototype pollution is a class of bug that comes from the JavaScript world. Acrobat Reader isn’t just a viewer for static pages: it ships a JavaScript interpreter for forms, validation and in-document actions. When that interpreter handles object properties without properly checking the input, a crafted PDF can modify the prototype of base objects and change how the program behaves. From there it chains up to arbitrary code execution in the user’s context, rated CVSS 8.6.
The real danger isn’t only the score. This was exploited in the wild since at least November 2025, months before a fix existed. Researcher Haifei Li found it after a malicious sample landed in EXPMON, a public system that detects file-based exploits. In other words, someone already had a working exploit in circulation.
Who is affected
It hits Acrobat and Acrobat Reader on both Windows and macOS, in the DC and 2024 branches. The vulnerable versions are those prior to:
- Acrobat DC and Acrobat Reader DC: before 26.001.21411
- Acrobat 2024: before 24.001.30362 on Windows and 24.001.30360 on macOS
Anyone who opens PDFs from sources they don’t control is in scope. That’s nearly everyone: invoices, resumes, contracts, email attachments. PDF remains a favorite vector precisely because people trust it without a second thought.
Why the KEV listing matters
CISA added CVE-2026-34621 to its Known Exploited Vulnerabilities (KEV) catalog on April 13, giving U.S. federal agencies until April 27 to patch. A KEV entry isn’t paperwork: it means exploitation is confirmed and the risk is present, not theoretical. Even if you aren’t a federal agency, the KEV is a solid priority list for any team.
How to protect yourself
Update Acrobat and Acrobat Reader to the fixed versions now. If you manage a fleet, push it by policy instead of trusting each user to do it. While the rollout reaches everyone, the usual PDF advice applies, plus a couple of specifics for this case:
- Don’t open documents from unknown or unexpected sources.
- If you can, turn off JavaScript execution in Acrobat (Preferences > JavaScript).
- Security teams can watch for “Adobe Synchronizer” User-Agent strings and block the associated http/https traffic, an indicator seen in this campaign.
A PDF reader shouldn’t run code just because you opened a file, but the mix of embedded JavaScript and a permissive parser has been producing this kind of scare for years. Patch and shrink the attack surface by disabling what you don’t use.