CVE-2026-34622
Published: 14 April 2026
Summary
CVE-2026-34622 is a high-severity Prototype Pollution (CWE-1321) vulnerability in Adobe Acrobat. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 49.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation requires timely patching of vulnerable Acrobat Reader versions to eliminate the prototype pollution vulnerability enabling arbitrary code execution.
Vulnerability scanning identifies systems running affected Acrobat Reader versions exposed to CVE-2026-34622.
Malicious code protection detects and prevents execution of malicious PDF files exploiting the prototype pollution in Acrobat Reader.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables arbitrary code execution via exploitation of a client application (Acrobat Reader) when a user opens a malicious file.
NVD Description
Acrobat Reader versions 26.001.21411, 24.001.30360, 24.001.30362 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue…
more
requires user interaction in that a victim must open a malicious file.
Deeper analysisAI
CVE-2026-34622 is an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability, mapped to CWE-1321, affecting Adobe Acrobat Reader versions 26.001.21411, 24.001.30360, 24.001.30362, and earlier. Published on 2026-04-14, this flaw enables arbitrary code execution in the context of the current user.
Exploitation requires user interaction, as a victim must open a malicious file. An attacker can craft such a file and deliver it to the target, who, upon opening it in the vulnerable Acrobat Reader, triggers the prototype pollution leading to arbitrary code execution with the current user's privileges. The CVSS v3.1 base score of 8.6 (AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) reflects low attack complexity, no required privileges, and high impacts across confidentiality, integrity, and availability in a changed scope.
Adobe's security bulletin APSB26-44, available at https://helpx.adobe.com/security/products/acrobat/apsb26-44.html, addresses this issue with details on available patches and recommended mitigations.
Details
- CWE(s)