Cyber Resilience

CVE-2026-34621

HighCISA KEVActive ExploitationEUVD Exploited

Published: 11 April 2026

Published
11 April 2026
Modified
13 April 2026
KEV Added
13 April 2026
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0709 93.4th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2026-34621 is a high-severity Prototype Pollution (CWE-1321) vulnerability in Apple Macos. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 6.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-3 (Malicious Code Protection).

Deeper analysis

Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier contain an Improperly Controlled Modification of Object Prototype Attributes vulnerability, also known as Prototype Pollution and tracked as CWE-1321. The flaw can lead to arbitrary code execution in the context of the current user and carries a CVSS 3.1 score of 8.6 reflecting local attack vector, low attack complexity, no required privileges, required user interaction, and changed scope with high impact on confidentiality, integrity, and availability.

An attacker can exploit the issue by supplying a malicious file that the victim must open; successful exploitation grants code execution privileges equivalent to those of the targeted user without needing additional authentication or elevated rights.

Adobe has published mitigation guidance in security advisory APSB26-43, and the vulnerability appears in CISA's Known Exploited Vulnerabilities catalog. The associated EPSS score has remained in a narrow band between 0.1103 and 0.1216 with no material upward trajectory after disclosure.

EU & UK References

Vulnerability details

Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires…

more

user interaction in that a victim must open a malicious file.

CWE(s)
KEV Date Added
13 April 2026

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Prototype pollution vulnerability in Adobe Acrobat Reader enables arbitrary code execution via client software exploitation (T1203) when user opens malicious file (T1204.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34622Same product: Adobe Acrobat
CVE-2026-27220Same product: Adobe Acrobat
CVE-2026-27278Same product: Adobe Acrobat
CVE-2025-27158Same product: Adobe Acrobat
CVE-2025-27161Same product: Adobe Acrobat
CVE-2025-27162Same product: Adobe Acrobat
CVE-2025-27174Same product: Adobe Acrobat
CVE-2025-27160Same product: Adobe Acrobat
CVE-2025-27159Same product: Adobe Acrobat
CVE-2026-27283Same product: Apple Macos

Affected Assets

adobe
acrobat dc
≤ 26.001.21411
adobe
acrobat reader dc
≤ 26.001.21411
adobe
acrobat
24.0.0 — 24.001.30362 · 24.0.0 — 24.001.30360

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the Adobe patch (APSB26-43) that eliminates the prototype-pollution flaw before a malicious PDF can be exploited.

preventdetect

Deploys malicious-code detection mechanisms that inspect or sandbox PDFs, blocking the user-interaction vector that triggers arbitrary code execution.

prevent

Enforces least-privilege execution of Acrobat Reader so that any code injected via the prototype-pollution flaw runs only with the limited rights of the logged-on user.

References