CVE-2026-34621
Published: 11 April 2026
Summary
CVE-2026-34621 is a high-severity Prototype Pollution (CWE-1321) vulnerability in Apple Macos. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 6.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-3 (Malicious Code Protection).
Deeper analysis
Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier contain an Improperly Controlled Modification of Object Prototype Attributes vulnerability, also known as Prototype Pollution and tracked as CWE-1321. The flaw can lead to arbitrary code execution in the context of the current user and carries a CVSS 3.1 score of 8.6 reflecting local attack vector, low attack complexity, no required privileges, required user interaction, and changed scope with high impact on confidentiality, integrity, and availability.
An attacker can exploit the issue by supplying a malicious file that the victim must open; successful exploitation grants code execution privileges equivalent to those of the targeted user without needing additional authentication or elevated rights.
Adobe has published mitigation guidance in security advisory APSB26-43, and the vulnerability appears in CISA's Known Exploited Vulnerabilities catalog. The associated EPSS score has remained in a narrow band between 0.1103 and 0.1216 with no material upward trajectory after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-21675
Vulnerability details
Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires…
more
user interaction in that a victim must open a malicious file.
- CWE(s)
- KEV Date Added
- 13 April 2026
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Prototype pollution vulnerability in Adobe Acrobat Reader enables arbitrary code execution via client software exploitation (T1203) when user opens malicious file (T1204.002).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the Adobe patch (APSB26-43) that eliminates the prototype-pollution flaw before a malicious PDF can be exploited.
Deploys malicious-code detection mechanisms that inspect or sandbox PDFs, blocking the user-interaction vector that triggers arbitrary code execution.
Enforces least-privilege execution of Acrobat Reader so that any code injected via the prototype-pollution flaw runs only with the limited rights of the logged-on user.