Adobe shipped an out-of-band update on April 12 for CVE-2026-34621, a prototype-pollution flaw in Acrobat and Acrobat Reader that researchers say has been exploited in the wild since December 2025. The bug rates 8.6 on the CVSS scale — Adobe initially called it 9.6 before revising the score downward — and CISA added it to the Known Exploited Vulnerabilities catalog the next day with an April 27 deadline for federal agencies.
Prototype pollution, weaponised through a PDF
The vulnerability sits in Acrobat’s JavaScript engine. Prototype pollution is a well-understood class of bug in JavaScript runtimes: an attacker mutates the prototype object that other objects inherit from, smuggling unexpected properties into code paths the developer assumed were safe. In Acrobat the path back to arbitrary code execution runs through a specially crafted PDF — open the document in a vulnerable client and the embedded JavaScript pollutes the prototype chain, then jumps the rails into native execution.
The affected versions are wide. Acrobat DC and Reader DC at 26.001.21367 and earlier are vulnerable, as is Acrobat 2024 at 24.001.30356 and earlier. Adobe’s fixed releases are DC 26.001.21411 and Acrobat 2024 24.001.30362 on Windows / 24.001.30360 on macOS. Anything older than those numbers should be considered exposed, regardless of whether automatic updates are claimed to be enabled — historically a non-trivial fraction of enterprise endpoints lag the published version because of update-deferral policy.
The disclosure path was unusually messy
Researcher Haifei Li, founder of EXPMON, surfaced details of in-the-wild exploitation a few days before Adobe’s advisory. Per The Hacker News, EXPMON said its findings aligned with those of “other security researchers over the last few days,” suggesting at least two independent observations of the same campaign. Adobe acknowledged exploitation and shipped, but the initial CVSS of 9.6 was lowered to 8.6 in a later revision — a small detail that matters for asset-management tools that gate triage on the 9.0 boundary, because a story flipping from “critical” to “high” on patch day can quietly drop off some teams’ weekly queues.
The exploitation timeline matters more than the score. If the campaign began in December 2025, defenders had roughly four months of unwitting exposure before the patch landed. Anyone who can answer “did a user open an unfamiliar PDF this winter?” should treat that as a meaningful question, not a rhetorical one. EDR telemetry covering AcroRd32.exe and Acrobat.exe spawning child processes, writing to %APPDATA%, or contacting external IPs should be reviewed against December–April retention.
What this means
For practitioners, three actions fall out of CVE-2026-34621.
First, treat the CISA April 27 deadline as a hard floor, not a target. Adobe shipped the fix on April 12; private operators with an active EDR fleet should already be at full coverage — and if any subset of endpoints is still on Acrobat DC <26.001.21411 or Acrobat 2024 <24.001.30362, surface the asset list to leadership today.
Second, assume retroactive compromise on any endpoint that has handled untrusted PDFs in the last six months. The campaign predates the disclosure by months. Run a hunt against the established malicious-PDF IOCs released by EXPMON and adjacent vendors, and pull the resulting hits into a deeper investigation — a single confirmed open is usually enough to justify imaging the host.
Third, examine why a 9.0-versus-8.6 CVSS revision changed your team’s prioritisation, if it did. Score boundaries are a useful triage signal, not a justification — an actively exploited 8.6 is more urgent than an unexploited 9.6 every time, and any process that quietly demotes one based on the number alone is a process that needs a second pass.
