Analysis of Prototype Pollution in Adobe Acrobat

The article provides a detailed examination of three critical vulnerabilities CVE-2026-34621, CVE-2026-34622 and CVE-2026-34626 affecting Acrobat DC, Acrobat Reader DC, and Acrobat 2024, respectively. These issues stem from improper handling of object prototype modifications (prototype pollution) within the JavaScript environment during PDF document parsing.

Exploitation of these vulnerabilities allows an attacker to inject arbitrary properties into JavaScript runtime objects, potentially leading to sensitive data leakage or arbitrary code execution.

For a successful attack, it is sufficient for a user to open a specially crafted PDF file; no additional privileges or user interaction are required. If successfully exploited, the attacker gains the ability to execute code in the context of the Reader process.

📎 Article: https://starlabs.sg/blog/2026/04-three-bugs-walk-into-a-pdf-prototype-pollution-served-cold/

💬 Discuss