CVE-2026-34621
Published: 11 April 2026
Summary
CVE-2026-34621 is a high-severity Prototype Pollution (CWE-1321) vulnerability in Apple Macos. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 6.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-3 (Malicious Code Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely patching of the prototype pollution flaw in vulnerable Acrobat Reader versions to prevent arbitrary code execution upon opening malicious PDFs.
Ensures monitoring of security advisories like CISA KEV and Adobe bulletins for CVE-2026-34621, enabling rapid flaw remediation.
Deploys malicious code protection mechanisms to scan and block malicious PDFs or detect resulting code execution from prototype pollution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Prototype pollution vulnerability in Adobe Acrobat Reader enables arbitrary code execution via client software exploitation (T1203) when user opens malicious file (T1204.002).
NVD Description
Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires…
more
user interaction in that a victim must open a malicious file.
Deeper analysisAI
CVE-2026-34621 is an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability, mapped to CWE-1321, affecting Adobe Acrobat Reader versions 24.001.30356, 26.001.21367, and earlier. Published on 2026-04-11, this flaw could result in arbitrary code execution in the context of the current user.
Exploitation requires user interaction, as a victim must open a malicious file. An attacker who can trick a user into opening such a file—typically via social engineering or phishing—can achieve arbitrary code execution with the privileges of the current user. The CVSS v3.1 base score of 8.6 (AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) reflects a local attack vector, low attack complexity, no required privileges, user interaction dependency, changed scope, and high impacts on confidentiality, integrity, and availability.
Adobe Security Bulletin APSB26-43 details the issue and mitigation: https://helpx.adobe.com/security/products/acrobat/apsb26-43.html. The vulnerability is also listed in CISA's Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-34621, indicating active exploitation in the wild.
Details
- CWE(s)
- KEV Date Added
- 13 April 2026