Adobe Acrobat Reader Prototype Pollution Flaws Enable Code Execution
Adobe disclosed two high-severity prototype pollution vulnerabilities in Acrobat Reader tracked as CVE-2026-34621 and CVE-2026-34622. Both flaws can lead to arbitrary code execution in the context of the current user if a victim opens a malicious file, making user interaction a required condition for exploitation. Adobe classified both issues under CWE-1321 and assigned CVSS v3.1 vectors indicating high impact to confidentiality, integrity, and availability.
CVE-2026-34621 affects Acrobat Reader versions 24.001.30356, 26.001.21367, and earlier, while CVE-2026-34622 affects versions 26.001.21411, 24.001.30360, 24.001.30362, and earlier. The disclosures indicate the vulnerabilities were reported to Adobe's PSIRT and published with advisory references, signaling that organizations using Acrobat Reader should identify exposed versions and prioritize updates to reduce the risk of malicious document-based compromise.
Timeline
Apr 14, 2026
Adobe releases Acrobat Reader updates for CVE-2026-34622 and CVE-2026-34626
Adobe published a security bulletin on 2026-04-14 and released updates for Acrobat and Reader on Windows and macOS to fix CVE-2026-34622, which can enable arbitrary code execution, and CVE-2026-34626, which can allow arbitrary file reads. Adobe recommended upgrading to version 26.001.21431 for Continuous Track and 24.001.30365 for Classic 2024 Track, and said it was not aware of active exploitation.
Apr 14, 2026
Adobe receives report for CVE-2026-34622 in Acrobat Reader
Adobe disclosed CVE-2026-34622, another prototype pollution flaw in Acrobat Reader that can result in arbitrary code execution in the current user's context when a malicious file is opened. The record states the vulnerability was newly received by psirt@adobe.com and affects versions 26.001.21411, 24.001.30360, 24.001.30362, and earlier.
Apr 11, 2026
Adobe receives report for CVE-2026-34621 in Acrobat Reader
Adobe disclosed that CVE-2026-34621, a prototype pollution vulnerability in Acrobat Reader that can lead to arbitrary code execution if a user opens a malicious file, was received by psirt@adobe.com. The issue affects versions 24.001.30356, 26.001.21367, and earlier.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
Related Stories
Adobe Acrobat and Reader Flaws Enable Code Execution via Malicious Files
JPCERT/CC warned that multiple vulnerabilities in **Adobe Acrobat** and **Adobe Acrobat Reader** could lead to arbitrary code execution on both Windows and macOS, including flaws tracked in Adobe bulletins `APSB26-43` and `APSB26-44`. Adobe said exploitation of the `APSB26-43` issues has been confirmed, while JPCERT/CC noted it had not observed attacks in Japan at publication time and cautioned that broader abuse could follow as technical details spread. The affected products include **Adobe Acrobat DC Continuous**, **Adobe Acrobat Reader DC Continuous**, and **Adobe Acrobat 2024 Classic** up to the vulnerable versions identified by Adobe. JPCERT/CC urged organizations and users to update immediately to the latest patched releases, including `26.001.21431` for the DC Continuous branch and `24.001.30365` for Acrobat 2024 Classic, because opening maliciously crafted content may be enough to trigger remote code execution.
2 weeks ago
Multiple Adobe Acrobat and Reader Flaws Enable Code Execution and Information Disclosure
German authorities issued security advisories for **Adobe Acrobat DC**, **Acrobat Reader DC**, and **Adobe Acrobat Reader** covering multiple vulnerabilities that could allow **information disclosure** and **arbitrary code execution**. One advisory specifically warned that a flaw in Adobe Acrobat Reader could expose sensitive information and be leveraged for code execution, raising the risk of compromise when users open maliciously crafted PDF files. A follow-up advisory expanded the scope to **multiple vulnerabilities** across Adobe’s Acrobat product line, indicating broader exposure for enterprise and end-user systems that rely on Adobe PDF software. Organizations using affected Adobe applications should prioritize vendor patches and review endpoint protections, as successful exploitation could give attackers access to data or the ability to run code on targeted systems.
2 weeks ago
Adobe Acrobat and Reader JavaScript Use-After-Free Flaws Patched
Adobe patched two use-after-free vulnerabilities in **Acrobat** and **Reader** that were triggered through JavaScript embedded in malicious PDF files. One flaw, tracked as `CVE-2020-3800`, affected the shared `AcroForm.api` plugin and the `xfa.loadXML` method, where malformed XML supplied through JavaScript caused a crash in Acrobat DC on Windows 10. STAR Labs said the bug was reproduced in Acrobat DC `2019.008.20064`, with the vulnerable component identified as `AcroForm.api` version `19.012.20040.17853`, and Adobe addressed it in security advisory `APSB20-13`. A separate flaw, `CVE-2019-16452`, affected Acrobat and Reader DC `2019.012.20035` and earlier through the `getSound()` JavaScript method. Researchers found inconsistent handling of sound-name string objects between a cache dictionary and a JavaScript object's private data, leaving a stale pointer after `toString()` changed the object's representation. STAR Labs reported that a crafted PDF could potentially turn the bug into code execution inside Adobe's sandbox with careful memory manipulation, and Adobe fixed the issue in bulletin `APSB19-55`.
3 weeks ago