A high-severity prototype pollution flaw in Adobe Acrobat and Reader allows arbitrary code execution when a user opens a malicious file, and CISA has added it to the KEV catalog confirming active exploitation in the wild.
What Is It
CVE-2026-34621 is an Improperly Controlled Modification of Object Prototype Attributes vulnerability (CWE-1321) in Adobe Acrobat and Acrobat Reader. Successful exploitation results in arbitrary code execution in the context of the current user. The attack vector is local and requires user interaction, a victim must open a crafted malicious file, but no privileges are required to trigger the flaw. Adobe's PSIRT scored it CVSS 3.1 8.6 (HIGH), with a changed scope and High impact across confidentiality, integrity, and availability.
Why It Matters
CISA added the CVE to the Known Exploited Vulnerabilities catalog on 2026-04-13, confirming active exploitation. Federal civilian agencies were given until 2026-04-27 to remediate under BOD 22-01. Known ransomware campaign use is listed as Unknown. Acrobat and Reader sit on a huge user base across enterprise endpoints, and document-borne code execution chains remain a reliable foothold for phishing and targeted intrusion operators.
What's Vulnerable
Per Adobe and NVD, the affected products and versions are:
- Acrobat DC (Continuous track): versions prior to 26.001.21411 (Windows and macOS)
- Acrobat Reader DC (Continuous track): versions prior to 26.001.21411 (Windows and macOS)
- Acrobat (Classic track) on Windows; versions 24.0.0 through versions before 24.001.30362
- Acrobat (Classic track) on macOS, versions 24.0.0 through versions before 24.001.30360
NVD's description specifically calls out Acrobat Reader 24.001.30356, 26.001.21367 and earlier as affected.
Patch Status
Adobe published fixes in advisory APSB26-43. Upgrade to the fixed builds:
- Continuous track: 26.001.21411 or later
- Classic track (Windows): 24.001.30362 or later
- Classic track (macOS): 24.001.30360 or later
CISA's required action is to apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. The KEV due date was 2026-04-27.