Adobe Acrobat Reader Out-of-Bounds Read Vulnerability Allowing Memory Disclosure

A out-of-bounds read vulnerability has been identified in Adobe Acrobat Reader versions through 24.001.30225, 20.005.30748, 25.001.20428 and earlier. This vulnerability, which resides in the font processing functionality, can be triggered by a specially crafted font file embedded in a PDF. Exploitation of this issue could lead to the disclosure of sensitive memory, potentially allowing an attacker to bypass security mitigations such as Address Space Layout Randomization (ASLR). However, exploitation requires user interaction, as the victim must open the malicious file.

Impact

Exploitation of this vulnerability could result in unauthorized memory access, allowing for the reading of sensitive information from the process's memory space. This could facilitate further exploitation or the bypassing of certain security mitigations, such as ASLR.

Reproduction

The vulnerability can be reproduced by creating a PDF file that includes a specially crafted OpenType font file. This font file must contain 'CFF2' and 'maxp' tables, with the 'numGlyphs' field in the 'maxp' table set to a value greater than the 'CharStringsCount' in the 'CFF2' table. Once the malicious PDF is created, it can be opened in Adobe Acrobat Reader versions through 24.001.30225, 20.005.30748, 25.001.20428 and earlier. When the PDF is opened, the out-of-bounds read vulnerability is triggered, allowing for arbitrary memory reading from the process.

Remediation

Users can update to the latest version of Adobe Acrobat Reader to address this vulnerability. The patch for this issue was released on March 11, 2025.