CVE-2023-38236: 
Adobe Acrobat Reader Continuous vulnerability analysis and mitigation

Adobe Acrobat Reader versions 23.003.20244 (and earlier) and 20.005.30467 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. The vulnerability was discovered and reported on May 26, 2023, and was publicly disclosed on August 8, 2023. This security issue affects both Adobe Acrobat and Adobe Reader applications (Adobe Advisory, NVD).

The vulnerability is classified as an out-of-bounds read vulnerability (CWE-125) specifically within the parsing of embedded fonts. The issue stems from inadequate validation of user-supplied data, which can result in a read past the end of an allocated object. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N (ZDI Advisory).

The vulnerability can lead to the disclosure of sensitive memory information and could potentially be leveraged by attackers to bypass security mitigations such as Address Space Layout Randomization (ASLR). When combined with other vulnerabilities, this could enable arbitrary code execution in the context of the current process (ZDI Advisory).

Adobe has released security updates to address this vulnerability. Users should update their Adobe Acrobat and Reader installations to the latest versions available through the official Adobe update channels (Adobe Advisory).