CVE-2022-23194: 
Adobe Illustrator vulnerability analysis and mitigation

Adobe Illustrator versions 25.4.3 (and earlier) and 26.0.2 (and earlier) were affected by an out-of-bounds read vulnerability discovered in late 2021. The vulnerability, identified as CVE-2022-23194, was officially disclosed on February 8, 2022, affecting both Windows and MacOS platforms. This security flaw specifically exists in the decoding of Computer Graphics Metafile (CGM) files within Adobe Illustrator's 'Reader_for_CGM' plugin (Fortinet Blog, Adobe Advisory).

The vulnerability is classified as an out-of-bounds read (CWE-125) that occurs due to improper bounds checking when processing CGM files in the 'Reader_for_CGM' plugin. It received a CVSS v3.1 base score of 5.5 (Medium), with a vector string of CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. The vulnerability requires local access and user interaction, as the victim must open a malicious file for exploitation to occur (NVD, Adobe Advisory).

The vulnerability could lead to disclosure of sensitive memory information and potentially allow attackers to bypass security mitigations such as ASLR (Address Space Layout Randomization). When successfully exploited, it enables unintended memory reads that could result in memory data leaks through a specially crafted CGM file (NVD, Fortinet Blog).

Adobe has released security patches to address this vulnerability. Users are advised to update to versions newer than Adobe Illustrator 2022 version 26.0.2 or Adobe Illustrator 2021 version 25.4.3. The patches were released as part of Adobe's February 2022 security update (Adobe Advisory).