CVE-2023-38241: 
Adobe Acrobat Reader Continuous vulnerability analysis and mitigation

Adobe Acrobat Reader versions 23.003.20244 (and earlier) and 20.005.30467 (and earlier) are affected by an out-of-bounds read vulnerability identified as CVE-2023-38241. The vulnerability was discovered and reported on May 26, 2023, and publicly disclosed on August 8, 2023. This security flaw affects Adobe Acrobat and Reader applications on both Windows and macOS platforms (Adobe Advisory, ZDI Advisory).

The vulnerability is an out-of-bounds read issue that specifically occurs within the parsing of embedded fonts. The flaw stems from inadequate validation of user-supplied data, which can result in a read past the end of an allocated object. The vulnerability has received varying CVSS scores: Adobe Systems assigned it a CVSS v3.1 Base Score of 5.5 (MEDIUM) with vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N, while ZDI assessed it with a score of 3.3 (ZDI Advisory, NVD).

The vulnerability could lead to the disclosure of sensitive memory information. When successfully exploited, it enables attackers to bypass security mitigations such as Address Space Layout Randomization (ASLR). This information disclosure could potentially be leveraged in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process (Adobe Advisory, ZDI Advisory).

Adobe has released security updates to address this vulnerability. Users should update their Adobe Acrobat and Reader installations to the latest versions available through the official Adobe security advisory (Adobe Advisory).