Prototype Pollution RCE in Adobe Acrobat Reader
CVE-2026-34622 is a critical prototype pollution vulnerability in Adobe Acrobat Reader. Adobe describes the issue as an Improperly Controlled Modification of Object Prototype Attributes affecting Acrobat/Reader Continuous Track 26.001.21411 and earlier, Acrobat 2024 Classic Track 24.001.30362 and earlier on Windows, and 24.001.30360 and earlier on macOS. Successful exploitation can result in arbitrary code execution in the context of the current user. The provided content attributes the bug class to unsafe handling of JavaScript object prototype attributes within Acrobat Reader’s scripting environment when processing a malicious PDF. User interaction is required: the victim must open a crafted malicious file.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
This repository is a small, self-contained research PoC for an Adobe Acrobat exploit chain centered on malicious PDF JavaScript execution and post-exploitation file theft. It contains 4 files: a Python PDF generator (CVE-2026-34621.py), a Python HTTP collection server (c2.py), the main Acrobat JavaScript payload (payload_steal.js), and documentation (ReadMe.md). The main exploit flow is: the operator embeds payload_steal.js into a PDF using CVE-2026-34621.py; the generated PDF sets /OpenAction to a JavaScript action so code runs when the document is opened; the JavaScript then abuses Acrobat-specific internal functions and trust mechanisms to obtain privileged execution; finally it reads a local Windows file and exfiltrates it over HTTP in chunks. CVE-2026-34621.py is not itself the vulnerability trigger beyond embedding arbitrary JavaScript into a PDF. It is a helper utility that reads an external JS file, escapes it for PDF syntax, and writes a minimal PDF object structure with /OpenAction pointing to a /JavaScript action. This makes it the delivery builder for the exploit document. payload_steal.js contains the actual exploit logic. It defines a privileged file-stealing routine using app.beginPriv(), util.readFileIntoStream(), and app.launchURL(). It hardcodes the victim file path /C/Windows/System32/drivers/etc/hosts and exfiltrates the resulting hex data to http://192.168.56.1:45191/exfil. The script also contains the exploit chain primitives described in the README: injection through ANFancyAlertImpl with a crafted button key, prototype pollution using Object.prototype.__defineGetter__('swConn', ...), trusted function registration via app.trustedFunction.bind, fake object methods for path processing, and invocation of ANShareFile/SilentDocCenterLogin to redirect privileged workflow execution. c2.py is a simple operational support component rather than the exploit itself. It listens on 0.0.0.0:45191, accepts GET requests to /exfil, reconstructs chunked hex data into binary, and saves recovered files under exfiltrated_files/. It prints progress and validates whether the recovered file begins with a PDF header. Overall, this is a real exploit PoC repository rather than a detector. It demonstrates a file-based attack vector against vulnerable Adobe Acrobat Reader environments, with a hardcoded but functional payload and a matching receiver, making it operational rather than a bare conceptual proof.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
16 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A likely CVE assignment for a use-after-free remote code execution vulnerability in Adobe Acrobat Reader's Escript.api module caused by improper handling of property accessor definitions and desynchronization between reference counting and the event scope stack.
A prototype pollution-related Adobe Acrobat/Reader vulnerability addressed in the second emergency update. The analysis links it to a security fix involving unsafe handler construction in ANFancyAlertImpl or related variants, but states the exact CVE-to-patch mapping is unclear.
A critical prototype pollution vulnerability in Adobe Acrobat and Reader that can allow arbitrary code execution in the context of the current user.
A prototype pollution vulnerability in Adobe Acrobat Reader that could lead to arbitrary code execution in the context of the current user if a victim opens a malicious file.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.