Prototype Pollution Arbitrary File Read in Adobe Acrobat Reader
CVE-2026-34626 is an improper control of object prototype attributes (prototype pollution) vulnerability in Adobe Acrobat Reader and related Acrobat products. According to the provided content, affected versions include Acrobat Reader/Acrobat DC Continuous Track 26.001.21411 and earlier, and Acrobat 2024 Classic Track 24.001.30360 / 24.001.30362 and earlier, on Windows and macOS. Successful exploitation can cause arbitrary file system reads in the context of the current user. The issue is triggered through a malicious PDF and requires the victim to open the file. The supplied material attributes this CVE to a prototype-pollution class bug, but does not provide a definitive vendor-confirmed vulnerable function or exact code path for CVE-2026-34626 specifically; some third-party analysis notes uncertainty in mapping individual patched code changes one-to-one to CVE-2026-34622 versus CVE-2026-34626.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
This repository is a small, self-contained research PoC for an Adobe Acrobat exploit chain centered on malicious PDF JavaScript execution and post-exploitation file theft. It contains 4 files: a Python PDF generator (CVE-2026-34621.py), a Python HTTP collection server (c2.py), the main Acrobat JavaScript payload (payload_steal.js), and documentation (ReadMe.md). The main exploit flow is: the operator embeds payload_steal.js into a PDF using CVE-2026-34621.py; the generated PDF sets /OpenAction to a JavaScript action so code runs when the document is opened; the JavaScript then abuses Acrobat-specific internal functions and trust mechanisms to obtain privileged execution; finally it reads a local Windows file and exfiltrates it over HTTP in chunks. CVE-2026-34621.py is not itself the vulnerability trigger beyond embedding arbitrary JavaScript into a PDF. It is a helper utility that reads an external JS file, escapes it for PDF syntax, and writes a minimal PDF object structure with /OpenAction pointing to a /JavaScript action. This makes it the delivery builder for the exploit document. payload_steal.js contains the actual exploit logic. It defines a privileged file-stealing routine using app.beginPriv(), util.readFileIntoStream(), and app.launchURL(). It hardcodes the victim file path /C/Windows/System32/drivers/etc/hosts and exfiltrates the resulting hex data to http://192.168.56.1:45191/exfil. The script also contains the exploit chain primitives described in the README: injection through ANFancyAlertImpl with a crafted button key, prototype pollution using Object.prototype.__defineGetter__('swConn', ...), trusted function registration via app.trustedFunction.bind, fake object methods for path processing, and invocation of ANShareFile/SilentDocCenterLogin to redirect privileged workflow execution. c2.py is a simple operational support component rather than the exploit itself. It listens on 0.0.0.0:45191, accepts GET requests to /exfil, reconstructs chunked hex data into binary, and saves recovered files under exfiltrated_files/. It prints progress and validates whether the recovered file begins with a PDF header. Overall, this is a real exploit PoC repository rather than a detector. It demonstrates a file-based attack vector against vulnerable Adobe Acrobat Reader environments, with a hardcoded but functional payload and a matching receiver, making it operational rather than a bare conceptual proof.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A likely CVE assignment for a use-after-free remote code execution vulnerability in Adobe Acrobat Reader's Escript.api module caused by improper handling of property accessor definitions and desynchronization between reference counting and the event scope stack.
A prototype pollution-related Adobe Acrobat/Reader vulnerability addressed in the second emergency update. The analysis links it to a security fix involving object confusion through trusted string-processing sinks such as doc.path or related variants, but states the exact CVE-to-patch mapping is unclear.
An important prototype pollution vulnerability in Adobe Acrobat and Reader that can allow arbitrary file system reads and exposure of sensitive local data.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.