Vulnerability Analysis

CVE-2026-34621: Adobe Acrobat Reader Prototype Pollution — What It Is & How to Fix It

Executive Summary

CVE-2026-34621 is a prototype pollution vulnerability in the JavaScript engine embedded within Adobe Acrobat and Adobe Acrobat Reader that enables attackers to execute arbitrary code by convincing a victim to open a specially crafted PDF. Adobe issued an emergency out-of-band patch on April 13, 2026 after confirming active exploitation in the wild. Organizations and individuals running unpatched versions of Acrobat or Reader should apply the update immediately, as phishing campaigns delivering weaponized PDFs are already underway.

1. What Is This Vulnerability?

Prototype pollution is a class of JavaScript vulnerability that occurs when an attacker is able to inject properties into the root-level Object.prototype, causing those properties to propagate across all objects in the runtime — including internal engine objects. Adobe Acrobat embeds a full JavaScript engine to support interactive PDF features (forms, annotations, calculations, etc.), and that engine is the attack surface here.

In CVE-2026-34621, a malicious PDF can carry obfuscated JavaScript that abuses improper property assignment handling in Acrobat's JS runtime. By manipulating __proto__ or constructor.prototype on a shared object, an attacker can inject attacker-controlled properties or methods into the prototype chain of internal objects. Depending on how those internal objects are subsequently used by the engine, this leads to type confusion, memory corruption, or direct invocation of privileged Acrobat JavaScript APIs — ultimately enabling arbitrary code execution in the context of the logged-in user.

Attack Vector

The exploit chain observed in the wild is phishing-driven and requires minimal user interaction:

  1. Victim receives a malicious PDF via email, web download, or file sharing platform.
  2. Victim opens the PDF in Adobe Acrobat or Reader.
  3. Embedded JavaScript automatically executes (no additional clicks required in default configuration).
  4. The script exploits the prototype pollution flaw to gain access to privileged Acrobat APIs.
  5. util.readFileIntoStream() is called to read local files and harvest sensitive data.
  6. RSS.addFeed() exfiltrates stolen data to a remote attacker-controlled server and downloads additional malicious JavaScript payloads.

The attack requires no sandbox escape in its observed form — it abuses trusted Acrobat APIs that are accessible once prototype pollution is achieved inside the JS engine.

Real-World Impact

Adobe confirmed active exploitation in the wild prior to the April 13, 2026 emergency patch. Threat actors have been deploying the exploit via phishing campaigns since at least late 2025. Observed post-exploitation activity includes:

  • Local file system reconnaissance and data exfiltration
  • Credential harvesting from browser storage and configuration files
  • Secondary payload delivery (additional JavaScript or native executables)
  • Persistent C2 communication disguised behind Adobe Synchronizer user-agent strings

2. Who Is Affected?

The following versions are confirmed vulnerable:

Product Platform Vulnerable Versions
Adobe Acrobat DC Windows & macOS 26.001.21367 and earlier
Adobe Acrobat Reader DC Windows & macOS 26.001.21367 and earlier
Adobe Acrobat 2024 Windows 24.001.30356 and earlier
Adobe Acrobat 2024 macOS 24.001.30356 and earlier

Risk factors that increase exposure:

  • JavaScript execution enabled in Acrobat (enabled by default)
  • Acrobat set as the default PDF viewer in the OS or browser
  • Users who regularly open PDF attachments from email
  • Enterprise environments without enforced auto-update policies
  • Virtual Desktop Infrastructure (VDI) images running outdated Acrobat versions

3. How to Detect It (Testing)

Manual Testing Steps

  1. Check your installed version: Open Adobe Acrobat or Reader → Help → About Adobe Acrobat. Compare the version number against the vulnerable version table above.
  2. Check JavaScript status: Edit → Preferences → JavaScript. Confirm whether "Enable Acrobat JavaScript" is checked. If enabled and the version is unpatched, the system is vulnerable.
  3. Inspect process network behavior: Open a benign PDF and monitor outbound connections from AcroRd32.exe (Windows) or AdobeReader (macOS). Any unexpected HTTP/S connections — particularly those with Adobe Synchronizer in the User-Agent header — are a strong indicator of compromise or active exploitation.
  4. Examine PDF files for suspicious JavaScript: Use pdfid.py or pdf-parser.py (Didier Stevens tools) to count JS-related objects in a suspicious PDF before opening it. High counts of /JS, /JavaScript, or /AA (auto-action) entries warrant further analysis.

Automated Scanning

Tool: Tenable Nessus / Nessus Essentials

  • Plugin ID covering CVE-2026-34621 will flag unpatched Acrobat installations via authenticated scan.
  • Run a credentialed scan against endpoints with the "Adobe Acrobat" plugin family enabled.
  • Expected output: Hosts running versions ≤ 26.001.21367 will be flagged as High severity findings.

Tool: Qualys VMDR

  • QID covering CVE-2026-34621 is available in the April 2026 signature update.
  • Use asset tagging to scope scan to hosts with Acrobat installed; run authenticated vulnerability scan.

Tool: pdfid.py (Didier Stevens)

pip install pdfid
pdfid.py suspicious.pdf

Look for elevated counts of /JS, /JavaScript, /OpenAction, /AA, /AcroForm in the output — these indicate embedded JavaScript that could be weaponized.

Tool: PDF Stream Dumper / peepdf

peepdf suspicious.pdf

Use js command within the interactive shell to extract and review all JavaScript streams. Look for __proto__, constructor, util.readFileIntoStream, or RSS.addFeed calls.

Code Review Checklist (for PDF-generating applications)

  • Verify no user-controlled input is passed unsanitized into PDF JavaScript streams
  • Confirm embedded JavaScript in generated PDFs does not use dynamic eval() or prototype-touching patterns
  • Ensure PDF libraries used for generation are updated and do not themselves embed vulnerable Acrobat JS stubs
  • Review any server-side PDF processing pipelines that invoke Acrobat or Reader for rendering/conversion — these are also exposed

4. How to Fix It (Mitigation)

Step-by-Step Remediation

  1. Identify all instances of Adobe Acrobat and Reader across your environment using asset inventory, Nessus, or SCCM/Jamf queries.
  2. Apply the emergency patch immediately:
    • Acrobat DC / Reader DC → update to v26.001.21411 or later
    • Acrobat 2024 (Windows) → update to 24.001.30362 or later
    • Acrobat 2024 (macOS) → update to 24.001.30360 or later
  3. Update via Adobe's built-in updater: Help → Check for Updates, or deploy silently via enterprise tools.
  4. For enterprise deployments: Use Adobe's FTP distribution site or Adobe Update Server Setup Tool (AUSST) to push the update through your internal update server.
  5. Validate all endpoints have received the patch before closing the remediation ticket (see Section 5).
  6. If patching cannot occur immediately, apply the interim mitigations below.

Interim Workarounds (If Patching Is Not Immediately Possible)

Disable JavaScript in Adobe Acrobat/Reader:

Edit → Preferences → JavaScript → Uncheck "Enable Acrobat JavaScript" → OK

This prevents the embedded JS engine from executing and blocks this specific attack vector. Note that this may break legitimate interactive PDF functionality (forms with calculations, dynamic fields, etc.).

Via Windows Registry (Group Policy / MDM deployable):

[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\JSPrefs]
"bEnableJS"=dword:00000000

Via macOS defaults:

defaults write com.adobe.Reader JSPrefs.bEnableJS -bool false

Block network exfiltration at the perimeter: Block outbound HTTP/S traffic containing Adobe Synchronizer in the User-Agent header at your proxy or firewall. This disrupts the observed exfiltration and C2 channel without requiring host-level changes.

Configuration Hardening

Beyond the immediate patch, harden the Acrobat deployment:

  • Disable privileged JavaScript APIs in enterprise deployments using Adobe's Acrobat Customization Wizard or lockdown registry keys to restrict util.readFileIntoStream(), file I/O APIs, and external network calls from within PDF JavaScript.
  • Enable Protected Mode (sandbox): Edit → Preferences → Security (Enhanced) → Enable "Protected Mode at Startup". This sandboxes the renderer and limits damage from exploitation.
  • Enable Protected View for all files: Set "Files from potentially unsafe locations" and "All files" to open in Protected View, requiring user promotion before full functionality activates.

5. How to Test the Fix (Validation)

Regression Test Scenarios

  • Scenario A: Confirm patched version is installed — open Acrobat → Help → About and verify version number meets or exceeds the fixed versions listed above.
  • Scenario B: Confirm JavaScript execution still works for legitimate use cases — open a known-good interactive PDF form and verify form calculations and field validation function correctly.
  • Scenario C: Confirm the attack vector no longer succeeds — open a proof-of-concept test PDF (use one sourced from your security team or vendor) in the patched Reader and verify no unexpected outbound network connections are initiated.

Security Test Cases

Test Case 1: Verify vulnerability is patched

  • Precondition: Apply patch to v26.001.21411 or later
  • Steps: Using a sandboxed VM, open a PoC PDF containing __proto__ manipulation JavaScript in patched Reader
  • Expected Result: JavaScript executes without gaining elevated API access; util.readFileIntoStream() restricted or returns error; no outbound connections to attacker server

Test Case 2: Verify JavaScript disable workaround (interim)

  • Precondition: JS disabled via Preferences or registry key
  • Steps: Open any PDF with embedded JavaScript
  • Expected Result: Acrobat/Reader renders the PDF but does not execute any embedded JavaScript; no dynamic form behavior; no network connections

Test Case 3: Verify network-level detection

  • Precondition: Proxy/firewall rule blocking Adobe Synchronizer user-agent
  • Steps: Simulate the exfiltration payload sending a request with Adobe Synchronizer user-agent
  • Expected Result: Request blocked and logged at the proxy; security alert generated

Automated Tests

# Quick version check script for Windows endpoints (run via RMM or SCCM)
import winreg

VULNERABLE_VERSIONS = ["26.001.21367", "24.001.30356"]

def check_acrobat_version():
    reg_paths = [
        r"SOFTWARE\Adobe\Acrobat Reader\DC\Installer",
        r"SOFTWARE\Adobe\Adobe Acrobat\DC\Installer",
    ]
    for path in reg_paths:
        try:
            key = winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, path)
            version, _ = winreg.QueryValueEx(key, "ProductVersion")
            if any(version <= v for v in VULNERABLE_VERSIONS):
                print(f"[VULNERABLE] Adobe Acrobat version {version} detected - patch required")
            else:
                print(f"[OK] Adobe Acrobat version {version} - appears patched")
        except FileNotFoundError:
            pass

check_acrobat_version()

6. Prevention & Hardening

Best Practices

  • Enforce auto-update policies for Adobe Acrobat/Reader across all endpoints using Group Policy, Jamf, or SCCM. Acrobat's update cadence is predictable; unmanaged installations drift into vulnerable states quickly.
  • Treat PDFs from unknown senders as untrusted. Train users to preview PDFs in browser-native renderers (Chrome, Edge, Firefox) rather than opening them in the desktop Acrobat application, especially for email attachments. Browser-native PDF renderers do not support Acrobat's JavaScript API surface.
  • Use application allowlisting to prevent unauthorized binaries spawned by Acrobat processes (a common post-exploitation pattern) from executing.
  • Restrict PDF JavaScript APIs at the enterprise level using Adobe's lockdown mechanisms to whitelist only the APIs required for legitimate business use, removing file I/O and network APIs from the permitted set.
  • Consider a PDF sandboxing/detonation gateway (e.g., Proofpoint, Mimecast, Palo Alto WildFire) for inbound email attachments that opens PDFs in a cloud sandbox before delivering to the end user.

Monitoring & Detection

Set up the following detections to catch active exploitation:

  • SIEM rule: Alert on outbound HTTP/S traffic from AcroRd32.exe or Acrobat.exe to external IPs — legitimate Acrobat network traffic is tightly scoped to Adobe CDN ranges; any other destination is suspicious.
  • SIEM rule: Alert on any process spawned as a child of AcroRd32.exe or Acrobat.exe (e.g., cmd.exe, powershell.exe, wscript.exe) — this indicates successful code execution post-exploitation.
  • Proxy/firewall rule: Block and alert on Adobe Synchronizer user-agent strings in outbound traffic.
  • EDR behavioral rule: Flag util.readFileIntoStream API invocations inside Acrobat's JS sandbox environment touching paths outside the PDF's own temp directory.
  • File integrity monitoring: Watch for new scripts or executables dropped into %APPDATA%\Adobe\ or /Library/Application Support/Adobe/ directories, as these are common staging locations for dropped payloads.

References

Latest from the blog

See all →