Adobe Acrobat Reader Patches Actively Exploited Zero-Day (CVE-2026-34621 / APSB26-43)
Contents
On April 11, Adobe released an emergency security update for Acrobat Reader.
The target is CVE-2026-34621, a Prototype Pollution vulnerability with a CVSS score of 8.6. The timing nearly coincided with security researcher Haifei Li (EXPMON) publishing technical details on April 7.
Exploitation of this vulnerability has been confirmed since December 2025, meaning attacks had been ongoing for over 4 months.
The background is covered in the previous article: Adobe Reader Zero-Day Exploited via PDF for 4 Months, Unpatched RCE Still Active
A CVE has now been officially assigned and a patch is available.
CVE-2026-34621 Overview
| Item | Details |
|---|---|
| CVE ID | CVE-2026-34621 |
| CWE | CWE-1321 (Improper Control of Prototype Attributes) |
| CVSS Score | 8.6 (CVSS 3.1) |
| Security Bulletin | APSB26-43 |
| Patch Priority | Priority 1 (apply within 72 hours) |
| Affected Products | Adobe Acrobat Reader 24.001.30356 and earlier, 26.001.21367 and earlier (Windows/Mac) |
| Attack Requirements | User opens a malicious PDF |
| Exploitation Status | Confirmed in the wild (ongoing since December 2025) |
The CVSS vector is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H. The scope change (S:C) indicates the impact extends beyond Adobe Reader’s sandbox to the OS level.
Technical Background
CVE-2026-34621 stems from Prototype Pollution within Acrobat Reader’s JavaScript engine.
Prototype Pollution is a technique that tampers with properties of Object.prototype, the common ancestor inherited by all JavaScript objects, to manipulate the behavior of arbitrary objects.
Adobe Reader allows JavaScript execution within PDFs. By abusing Object.prototype.__defineGetter__(), attackers could hijack internal undocumented APIs. This allowed code that should have been confined within the sandbox to call privileged APIs outside it (such as util.readFileIntoStream()).
The attack flow consists of two stages.
flowchart TD
A[Open malicious PDF] --> B[Stage 1: Obfuscated JS loader<br/>Uses JSFuck to evade static analysis]
B --> C[Bug 1: JS injection into Dialog API<br/>Access internal APIs from within sandbox]
C --> D[Bug 2: Privilege escalation via Prototype Pollution<br/>Abuses Object.prototype.__defineGetter__]
D --> E[Unrestricted access to privileged APIs<br/>util.readFileIntoStream / app.trustedFunction etc.]
E --> F[System fingerprinting<br/>OS version, AV products, language settings]
F --> G[Beacon to C2 server]
G --> H{Sandbox environment?}
H -->|Yes| I[Abort attack to avoid detection]
H -->|No| J[Receive AES-CTR encrypted payload]
J --> K[Code execution via eval / RCE achieved]
K --> L[Persistence via Registry Run key]Bug 1 breaches the sandbox wall, Bug 2 escalates privileges. This two-stage chain is the core of the attack. Because this is a logic-based vulnerability rather than memory corruption like buffer overflows, conventional detection methods are less effective, and the low detection rate allowed prolonged exploitation.
APSB26-43 Patch Details
According to Adobe’s security bulletin APSB26-43, Priority 1 has been assigned. Priority 1 is Adobe’s highest priority level, requiring application within 72 hours.
Safe versions after patching (Adobe’s official recommendation) are as follows.
| Product | Platform | Updated Version |
|---|---|---|
| Acrobat DC (Continuous) | Windows / Mac | 26.001.21380 or later |
| Acrobat Reader DC | Windows / Mac | 26.001.21380 or later |
| Acrobat 2024 | Windows / Mac | 24.001.30372 or later |
Updates can be applied through Adobe’s auto-update feature (Help > Check for Updates). For enterprise environments, deployment via Acrobat Update Server (AUS) or IT management tools is recommended.
Timeline
| Date | Event |
|---|---|
| December 2025 | Attacks begin (confirmed retroactively) |
| Late November 2025 | EXPMON detects anomalous PDF samples |
| April 7, 2026 | Haifei Li publishes technical details |
| April 11, 2026 | Adobe assigns CVE, releases APSB26-43 |
| April 12, 2026 | CERTs and security agencies issue emergency advisories |
The patch arrived within 4-5 days of public disclosure, a relatively swift response. However, with over 4 months of exploitation before the technical details were even published, investigation into whether attacks already occurred is also warranted.
The primary targets are estimated to be Russian-speaking organizations (energy infrastructure, government agencies), but there is risk of continued operations with infrastructure rotation and copycat attacks by other threat groups.
Indicators of Compromise (IOC)
For environments that used Adobe Reader before the patch was applied, check the following.
Network indicators
- Outbound traffic with User-Agent containing
Mozilla/3.0 (compatible; Adobe Synchronizer 23.8.20533) - Communication to the following C2 (command and control) servers:
188.214.34.20:34123(Cyprus, EDIS GmbH)169.40.2.68:45191(Latvia, VEESP)- Domain
ado-read-parser.com
Endpoint indicators
- Registry key
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe Reader Synchronizer - Mutex
Global_MSIExecute,Global\AdobeCrashProcessorLocalLowLock
Reports indicate C2 infrastructure went offline after disclosure, but migrating to new infrastructure using the same techniques is standard practice for threat groups.
Response Priorities
Patching is the top priority. For enterprise environments where immediate deployment across all machines is difficult, switching to browser-built-in PDF viewers (Chrome, Firefox) as an interim measure is effective. Browser viewers lack Acrobat’s JavaScript API, so this exploit cannot execute.
Disabling JavaScript execution in Adobe Reader (Edit > Preferences > JavaScript > uncheck “Enable Acrobat JavaScript”) also works as a mitigation, but forms and interactive PDFs that depend on JavaScript will stop working.