CVE-2023-38235: 
Adobe Acrobat Reader Continuous vulnerability analysis and mitigation

Adobe Acrobat Reader versions 23.003.20244 (and earlier) and 20.005.30467 (and earlier) are affected by an out-of-bounds read vulnerability that was discovered in 2023. The vulnerability, tracked as CVE-2023-38235, affects the parsing of embedded fonts in Adobe Acrobat and Reader. This security flaw requires user interaction, specifically opening a malicious file, to be exploited (NVD CVE, Adobe Advisory).

The vulnerability is classified as an out-of-bounds read vulnerability (CWE-125) that occurs during the parsing of embedded fonts. The issue stems from inadequate validation of user-supplied data, which can result in a read past the end of an allocated object. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N (ZDI Advisory, NVD CVE).

The vulnerability could lead to the disclosure of sensitive memory information. More significantly, attackers could potentially leverage this vulnerability to bypass security mitigations such as Address Space Layout Randomization (ASLR). This could be particularly dangerous if combined with other vulnerabilities, potentially enabling arbitrary code execution in the context of the current process (ZDI Advisory).

Adobe has released security updates to address this vulnerability. Users should update their Adobe Acrobat and Reader installations to the latest versions available through the official Adobe security advisory (Adobe Advisory).