Adobe Acrobat Reader Out-of-Bounds Read Vulnerability Allowing Memory Disclosure

A vulnerability allowing out-of-bounds read has been identified in Adobe Acrobat Reader versions through 24.001.30225, 20.005.30748, and 25.001.20428. This vulnerability arises in the font handling component, specifically related to OpenType font files embedded in PDFs. An attacker could exploit this issue to read sensitive memory, potentially bypassing mitigations like Address Space Layout Randomization (ASLR). Exploitation requires user interaction, as the victim must open a maliciously crafted PDF file.

Impact

Exploitation of this vulnerability could lead to unauthorized memory access, allowing for the disclosure of sensitive information. Such memory contents could be exploited to bypass certain security mitigations, like ASLR, and may facilitate further exploitation of the application.

Reproduction

The vulnerability can be reproduced by opening a PDF file that contains a specially crafted OpenType font. This font must include 'hhea' and 'hmtx' tables, with the 'numberOfHMetrics' field in the 'hhea' table set to a value that, when processed, causes an out-of-bounds read. This can be achieved by manipulating the font data to create a mismatch between the 'numberOfHMetrics' value and the actual length of the 'hmtx' table, leading to the exploitation of the out-of-bounds read condition.

Remediation

Users are advised to update to the latest version of Adobe Acrobat Reader, as the vendor has released a patch for this vulnerability.