Adobe patches exploited prototype pollution RCE in Acrobat/Reader

2 min readPublished 11 Apr 2026Updated 11 Apr 2026Source: Adobe Security Bulletin

CVE-2026-34621 News Vulnerability Management Desktop Apps

TL;DR — A Critical prototype-pollution bug in Acrobat/Reader is being exploited in the wild and can lead to arbitrary code execution when a victim opens a malicious file.

What happened

Adobe Acrobat and Adobe Acrobat Reader are widely deployed PDF clients for viewing and working with PDF documents on Windows and macOS. Adobe’s APSB26-43 bulletin discloses a Critical vulnerability (prototype pollution; CWE-1321) that can result in arbitrary code execution in the context of the current user.

Adobe explicitly states it is aware of in-the-wild exploitation for CVE-2026-34621, and rates the bulletin as Priority 1.

Item	Source value
Affected software	`Adobe Acrobat DC`, `Adobe Acrobat Reader DC`, `Adobe Acrobat 2024`
Impact	Arbitrary code execution
Weakness	Prototype Pollution (CWE-1321)
Severity	Critical, CVSS v3.1 base score 9.6 (`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H`)
Affected versions	`26.001.21367` and earlier (Acrobat DC / Reader DC Continuous); `24.001.30356` and earlier (Acrobat 2024 Classic 2024)
Updated versions (vendor)	`26.001.21411` (Acrobat DC / Reader DC Continuous); Windows `24.001.30362` and Mac `24.001.30360` (Acrobat 2024 Classic 2024)

Active exploitation plus a document-open trigger is a high-leverage combination: PDF is a common ingress format, and client-side RCE in ubiquitous readers tends to translate quickly into broad enterprise exposure.

Who is impacted

Any Windows or macOS fleet running:
- Acrobat DC (Continuous) 26.001.21367 and earlier
- Acrobat Reader DC (Continuous) 26.001.21367 and earlier
- Acrobat 2024 (Classic 2024) 24.001.30356 and earlier
Higher-risk environments where users routinely open PDFs from external/untrusted sources (email, web downloads, ticketing systems, shared drives).
Organizations that treat PDF handlers as “safe viewers” (i.e., where a compromise would land inside high-value identity/browser sessions or developer tooling access).

What to do now

Follow vendor remediation guidance and apply the latest patched release available at the time of writing.
For end users, Adobe lists the primary update path as:

"Help > Check for Updates."
For managed environments:
- Use your existing patch workflow to roll out the updated builds Adobe lists in the bulletin.
- Adobe notes IT admins should use release-note-linked installers and can deploy via tools such as AIP-GPO, SCUP/SCCM (Windows), or on macOS via Apple Remote Desktop / SSH.
Given Adobe’s statement of in-the-wild exploitation, treat this as a rapid patching item for exposed user populations (email-heavy roles, support desks, finance/legal, and anyone processing inbound PDFs).

Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.