CVE-2026-34622

High

Published: 14 April 2026

Published

14 April 2026

Modified

16 April 2026

KEV Added

—

Patch

—

CVSS Score 8.6 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0024 46.4th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

Acrobat Reader versions 26.001.21411, 24.001.30360, 24.001.30362 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue…

requires user interaction in that a victim must open a malicious file.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Flaw remediation requires timely patching of vulnerable Acrobat Reader versions to eliminate the prototype pollution vulnerability enabling arbitrary code execution.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Vulnerability scanning identifies systems running affected Acrobat Reader versions exposed to CVE-2026-34622.

SI-3 Malicious Code Protection partial match

preventdetect

Malicious code protection detects and prevents execution of malicious PDF files exploiting the prototype pollution in Acrobat Reader.

Security SummaryAI

CVE-2026-34622 is an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability, mapped to CWE-1321, affecting Adobe Acrobat Reader versions 26.001.21411, 24.001.30360, 24.001.30362, and earlier. Published on 2026-04-14, this flaw enables arbitrary code execution in the context of the current user.

Exploitation requires user interaction, as a victim must open a malicious file. An attacker can craft such a file and deliver it to the target, who, upon opening it in the vulnerable Acrobat Reader, triggers the prototype pollution leading to arbitrary code execution with the current user's privileges. The CVSS v3.1 base score of 8.6 (AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) reflects low attack complexity, no required privileges, and high impacts across confidentiality, integrity, and availability in a changed scope.

Adobe's security bulletin APSB26-44, available at https://helpx.adobe.com/security/products/acrobat/apsb26-44.html, addresses this issue with details on available patches and recommended mitigations.

Details

CWE(s): CWE-1321

Affected Products

adobe

acrobat

24.0.0 — 24.001.30365

adobe

acrobat dc

15.008.20082 — 26.001.21431

adobe

acrobat reader dc

15.008.20082 — 26.001.21431

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

Why these techniques?

The vulnerability enables arbitrary code execution via exploitation of a client application (Acrobat Reader) when a user opens a malicious file.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://helpx.adobe.com/security/products/acrobat/apsb26-44.html
Vendor Advisory · psirt@adobe.com