Acrobat Reader, Prototype Pollution, (High)

Listen to this Post

How the mentioned CVE works (technical details):

The vulnerability exists in Acrobat Reader’s JavaScript engine when processing specially crafted PDF files. The application fails to properly validate and control modifications to built-in object prototypes (e.g., Object.prototype). By injecting malicious property assignments via a PDF’s embedded JavaScript, an attacker can pollute the global prototype chain. This allows overriding critical methods or properties used by internal Acrobat routines. When the polluted object is later accessed during rendering or script execution, the unexpected properties trigger arbitrary native code execution. The flaw leverages improper sanitization of __proto__, constructor, or `prototype` references in user-controlled JSON-like data. Successful exploitation bypasses memory protections like ASLR and DEP due to the attacker’s ability to redirect function pointers. The attack requires the victim to open the malicious file, but no additional privileges are needed. The issue affects versions 24.001.30356, 26.001.21367, and earlier. Adobe’s patch restricts prototype mutations by whitelisting safe properties and freezing critical objects. Exploitation in the wild typically combines prototype pollution with a subsequent gadget call to achieve code execution.

DailyCVE form:

Platform: Windows/macOS
Version: 24.001.30356, 26.001.21367 and earlier
Vulnerability: Prototype pollution → RCE
Severity: HIGH (8.6)
date: 2026-04-13

Prediction: Patch expected 2026-04-20

What Undercode Say:

Check installed Acrobat Reader version (Windows)
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Acrobat.exe" /v Path
macOS - get version from plist
defaults read /Applications/Adobe\ Acrobat\ Reader\ DC.app/Contents/Info.plist CFBundleShortVersionString
Detect prototype pollution via JavaScript in PDF (conceptual)
pdf-parser --search "proto" malicious.pdf
Monitor process for unusual prototype modifications (Linux example - conceptual)
strace -e trace=open,write acroread malicious.pdf 2>&1 | grep -i "proto"

How Exploit:

  1. Attacker crafts PDF with embedded JavaScript containing Object.prototype.__proto__.polluted = "evil".
  2. Victim opens PDF → Acrobat executes script without prototype sanitization.
  3. Polluted property spreads to all objects, overwriting internal Acrobat functions.
  4. Later, a clean object call uses the poisoned property, redirecting execution to shellcode.
  5. Shellcode spawns calc or reverse shell in current user context.

Protection from this CVE:

  • Update to Acrobat Reader version 26.001.21368 or higher (after patch release).
  • Disable JavaScript in Acrobat: Edit → Preferences → JavaScript → Uncheck “Enable Acrobat JavaScript”.
  • Use endpoint detection rules to block PDFs containing `__proto__` or `constructor` strings.
  • Run Acrobat in a sandboxed environment (e.g., Windows Sandbox, AppContainer).

Impact:

  • Arbitrary code execution with current user privileges.
  • Full system compromise if user has admin rights.
  • Data theft, malware installation, or ransomware deployment.
  • No user interaction beyond opening the malicious PDF.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: www.cve.org
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top