CVE-2026-34621: Adobe Acrobat Reader Prototype Pollution

Attackers utilise specially crafted PDF documents to bypass sandbox restrictions, execute privileged APIs, and achieve arbitrary code execution (ACE) on Windows and macOS systems.

Attack Chain

Initial Vector: The victim receives a phishing email or encounters a watering hole containing a malicious PDF

Prototype Pollution: Upon opening the PDF, the heavily obfuscated JavaScript executes. Due to insufficient input validation, the script pollutes the Object.prototype, allowing the attacker to inject properties that propagate globally throughout the application.

Privileged API Access: The polluted state allows untrusted JavaScript to invoke privileged Acrobat APIs that are normally restricted. Key functions abused include:

• util.readFileIntoStream(): Used to read arbitrary local files, including credentials and private keys.
• RSS.addFeed(): Used to establish a covert C2 channel. Data is exfiltrated via RSS subscription requests, and the attacker-controlled server responds with additional malicious JavaScript for further exploitation (RCE or sandbox escape).

System Fingerprinting: The exploit silently gathers system metadata (OS version, language, Reader version, and file paths) and transmits it to attacker infrastructure.

Vulnerable Versions:

Recommendations

• Immediate Patching: Update to Acrobat DC/Reader DC version 26.001.21411 or Acrobat 2024 version 24.001.30362 (Windows) / 24.001.30360 (macOS).

• Disable JavaScript: If business workflows permit, disable Acrobat JavaScript entirely via Edit > Preferences > JavaScript > Uncheck 'Enable Acrobat JavaScript'.

• User Training: Instruct users not to open PDF files from untrusted or unexpected sources, especially those with themes related to emergency responses or financial matters.