Adobe has released an emergency out-of-band security update for Adobe Acrobat Reader to address a critical zero-day vulnerability, CVE-2026-34621 (CVSS 8.6), that has been actively exploited in the wild since at least December 2025. The flaw is a prototype pollution vulnerability that enables attackers to execute arbitrary JavaScript — and, from there, achieve remote code execution — simply by tricking a user into opening a maliciously crafted PDF document.
Understanding Prototype Pollution in Acrobat Reader
Prototype pollution is a class of vulnerability that affects JavaScript engines by allowing an attacker to inject properties into the root prototype of JavaScript objects. When an application processes attacker-controlled data and uses it to set properties on objects without adequate validation, an attacker can modify Object.prototype, the base object from which all JavaScript objects inherit.
In the context of Adobe Acrobat Reader — which uses an embedded JavaScript engine to support interactive PDF features — a prototype pollution flaw means that a specially crafted PDF can inject malicious properties into the JavaScript runtime environment. When Acrobat’s JavaScript engine subsequently accesses those properties (as all JavaScript code implicitly does through prototype inheritance), the attacker’s injected values are used instead of the expected ones, hijacking execution flow.
Security researcher Haifei Li, founder of the EXPMON exploit monitoring platform, discovered and disclosed the exploitation of CVE-2026-34621 in the wild. According to Li, threat actors crafted PDF documents that appeared legitimate but contained embedded JavaScript specifically designed to trigger the prototype pollution chain and ultimately execute attacker-controlled code on the victim’s machine.
Long-Running Zero-Day: Months of Silent Exploitation
One of the most troubling aspects of CVE-2026-34621 is its exploitation timeline. Evidence gathered by security researchers suggests that the vulnerability was under active exploitation as early as December 2025, approximately four months before Adobe released a patch. This extended window of undetected exploitation means that attackers had months to deliver payloads, establish persistence, and exfiltrate data from targets who opened malicious PDFs — all without any possibility of a patch-based defense.
This timeline raises serious questions about Adobe’s vulnerability monitoring processes and the effectiveness of current endpoint detection tools in identifying novel PDF-based exploit chains before they are publicly known.
Affected Versions
CVE-2026-34621 affects the following Adobe Acrobat Reader versions:
- Acrobat 2024: versions 24.001.30356 and earlier (Windows and macOS)
Fixed versions:
- Acrobat 2024 for Windows: 24.001.30362
- Acrobat 2024 for macOS: 24.001.30360
Users running Acrobat DC (continuous track) or Acrobat 2020 should verify their specific version against Adobe’s security bulletin, as those tracks may also be affected.
Attack Scenarios: Who Is at Risk?
PDF documents are one of the most universally trusted file formats in business environments. They are shared via email, downloaded from websites, received from clients and vendors, and often opened without hesitation. This trust makes Acrobat Reader vulnerabilities particularly dangerous — they sit directly in the path of phishing campaigns, business email compromise (BEC) attacks, and malicious document delivery chains.
Typical attack scenarios for CVE-2026-34621 include:
- Phishing emails with malicious PDF attachments disguised as invoices, contracts, or delivery notifications.
- Drive-by downloads where a user visits a malicious or compromised website that triggers an automatic PDF download.
- Document sharing via cloud storage or collaboration platforms, where malicious PDFs are uploaded and shared with targets.
- Malvertising campaigns that use PDF previews or downloads as the initial delivery mechanism.
Immediate Mitigation Steps
Organizations using Adobe Acrobat Reader should take the following actions immediately:
- Update Adobe Acrobat Reader to version 24.001.30362 (Windows) or 24.001.30360 (macOS) via Help > Check for Updates or through Adobe’s official download portal.
- Disable JavaScript in Acrobat Reader as an interim measure if patching is not immediately possible: go to Edit > Preferences > JavaScript and uncheck “Enable Acrobat JavaScript.” Note that this will break legitimate interactive PDF features.
- Deploy email security controls to scan PDF attachments for embedded JavaScript and flag or quarantine suspicious documents before delivery.
- Review endpoint logs for anomalous Acrobat Reader process behavior dating back to December 2025, as systems may already be compromised.
- Consider PDF sandboxing or virtual machine-based PDF preview solutions for high-risk environments where untrusted PDFs are routinely opened.
Conclusion
CVE-2026-34621 is a high-severity zero-day that combined a subtle JavaScript vulnerability with a months-long window of active exploitation before a patch was available. PDF-based attacks are a perennial threat precisely because the file format is so trusted and so widely used — and this exploit is a reminder that even mature, security-conscious products like Adobe Acrobat Reader can harbor dangerous flaws that go undetected for extended periods. Patch immediately, and consider hunting for signs of compromise going back to late 2025.