Vulnerability Summary
A critical Prototype Pollution vulnerability (CWE-1321) affecting Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier, capable of arbitrary code execution in the context of the current user.
Severity & Scoring
CVSS 8.6 (initially reported as 9.6, adjusted April 12 when Adobe revised the attack vector from Network to Local). Rated CRITICAL.
Technical Details
Prototype Pollution allows attackers to add or modify properties of the base JavaScript Object.prototype, influencing the behavior of application functions and potentially leading to security-sensitive operations . Attackers craft malicious PDFs that, when opened, execute arbitrary code via corrupted JavaScript objects—enabling deployment of remote access trojans (RATs) .
Exploitation Timeline & Discovery
Security researcher Haifei Li (EXPMON) initially flagged the threat as a highly sophisticated, fingerprinting-style PDF exploit, with evidence suggesting exploitation since at least December 2025. Adobe acknowledged active wild exploitation in the days following Li’s disclosure .
Attack Prerequisites
Exploitation requires user interaction—a victim must open a malicious file. The exploit leverages privileged Acrobat APIs, including util.readFileIntoStream(), to read arbitrary files accessible to the Reader process.
Patching
Adobe addressed the flaw on April 11, 2026, under security bulletin APSB26-43, assigning it a Priority-1 rating across Windows and macOS platforms.
Remediation
- Update Adobe Acrobat Reader to the latest patched version immediately
- Monitor for malicious PDF delivery via email, messaging platforms, or web downloads
- Enforce sandboxing or disable JavaScript in Reader if not required for workflow
- Monitor endpoint telemetry for unexpected child processes spawned by Adobe Reader
