CVE-2024-20729: 
Adobe Acrobat Reader Continuous vulnerability analysis and mitigation

A use-after-free vulnerability (CVE-2024-20729) was discovered in Adobe Acrobat Reader versions 20.005.30539, 23.008.20470 and earlier. The vulnerability was discovered by KPC of Cisco Talos and was publicly disclosed on February 15, 2024. The vulnerability affects the Annot3D functionality in Adobe Acrobat Reader, specifically when handling 3D type images in PDF documents (Talos Report).

The vulnerability exists in the Annot3D functionality of Adobe Acrobat Reader. When a page contains a 3D type image, the PDF Reader creates an Annot3D object. The issue occurs when a specially crafted Javascript code inside a malicious PDF document triggers reuse of a previously freed object, leading to memory corruption. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H and is classified as CWE-416 (Use After Free) (NVD).

Successful exploitation of this vulnerability could result in arbitrary code execution in the context of the current user. Depending on the memory layout of the process, attackers could potentially gain arbitrary read and write access to memory, which could be leveraged for code execution (Talos Report).

Adobe has released security updates to address this vulnerability. Users should update to the latest version of Adobe Acrobat and Reader. The fixes are available through Adobe's security bulletin APSB24-07 (Adobe Advisory).