On November 28, 2025, someone uploaded a PDF to VirusTotal. The filename was Invoice540.pdf . Thirteen of sixty-four antivirus engines flagged it. The other fifty-one saw a document. The person who noticed was Haifei Li, founder of EXPMON. He pulled it apart and wrote down what he found. "The sample acts as an initial exploit with the capability to collect and leak various types of information, potentially followed by remote code execution and sandbox escape exploits. It abuses zero-day/unpatched vulnerability in Adobe Reader that allows it to execute privileged Acrobat APIs, and it is confirmed to work on the latest version of Adobe Reader." The latest version of Adobe Reader. In November 2025. That bug didn't get a name until April 12, 2026. On that day, Adobe shipped APSB26-26 and assigned CVE-2026-34621. Between the VirusTotal upload and the patch: 136 days. In that window, someone was sending invoice-themed PDFs to Russian oil and gas targets, and anyone who opened one ran code inside the boundary Adobe had sold them as a sandbox. This is not a story about prototype pollution. It is a story about how long prototype pollution ran before anyone called it that. The 136-day detection gap The VirusTotal upload was not secret. It is a public hash registry. Anyone searching for suspicious PDFs targeting Adobe Reader on November 28 could have found the sample, read the 13-of-64 detection score, and pulled the hash. Li did. He published the mechanism on his blog: privileged Acrobat APIs invoked from obfuscated JavaScript in the document's open handler, confirmed on the latest Adobe Reader release. Exfiltration went to 169.40.2[.]68:45191 . Four months later, on March 23, 2026, a second sample landed on VirusTotal. Same mechanism, same shape. Researcher Gi7w0rm observed that the PDFs carried Russian-language lures and referenced current events in Russia's oil and gas sector. The campaign had not stopped. It was not a one-shot. On April 12, 2026, Adobe shipped APSB26-26 and assigned CVE-2026-34621. CVSS 9.6, critical. The advisory-speak that travels with Adobe's Acrobat bulletins, visible in the APSB26-44 update issued two days later for the same product family, is the phrase the industry reads as routine: "not aware of any exploits in the wild." The VirusTotal hashes had been saying otherwise since November. This is where defender math is supposed to happen. An organization deciding what to patch first reads the CVSS score, reads the exploitation status, reads the advisory, and ranks the queue. When the advisory says no known exploits and the vulnerability class is prototype pollution in a scripting engine, an ops team reasonably ranks it below vulnerabilities with active in-the-wild reports. That is the design of patch prioritization. The advisory text is the signal. For 136 days, the signal was wrong. Adobe was not hiding. The PSIRT was behind the signal defenders had already paid for. VirusTotal had the hash and the detection gradient. Li had the mechanism writeup. Gi7w0rm had the targeting. None of it reached the advisory text. Every defender who trusted the vendor's awareness apparatus as a threat-assessment input was, for nearly five months, reading a document that did not reflect what was happening. The mechanism was not the bottleneck The mechanism is not exotic. A PDF can carry JavaScript in an open-action handler. Adobe's EScript runtime is a sandboxed JS environment with access to a subset of Acrobat's own APIs, enough to do form validation, field scripting, digital signature flows. The sandbox is the boundary. Behind it sit privileged APIs that can read files, make network calls, invoke OS operations. A JavaScript prototype chain is shared state. Every object in a running JS context inherits from Object.prototype unless explicitly told otherwise. If attacker code mutates a property on Object.prototype , adding a field or overwriting one, every object in the runtime sees the attacker's value as though it were native. Code that reads someObject.hasOwnProperty or inspects a polyfilled method against the prototype now reads what the attacker wrote. The Acrobat sandbox's trust checks are JavaScript code. They read from objects. Those objects inherit from the prototype the attacker just polluted. The boundary between "scripted form logic" and "privileged Acrobat API" is enforced by a JS check reading from state the attacker can mutate. Pollute the state, the check reads a lie, the privileged API runs. That is the class. CVE-2026-34621, per Adobe's bulletin, is exactly that class: Improperly Controlled Modification of Object Prototype Attributes, CWE-1321, leading to arbitrary code execution. The exploit chain reported in Invoice540.pdf is the class run in production: obfuscated JS on document open, privileged API execution, exfiltration, secondary payload delivery. Confirmed against the latest Adobe Reader release in November 2025. A public proof-of-concept now exists. NULL200OK/cve_2026_34621_advanced on ...