CVE-2024-20735: 
Adobe Acrobat Reader Continuous vulnerability analysis and mitigation

Adobe Acrobat Reader versions 20.005.30539, 23.008.20470 and earlier contain an out-of-bounds read vulnerability (CVE-2024-20735) in the font file processing functionality. The vulnerability was discovered by KPC of Cisco Talos and publicly disclosed on February 15, 2024. This security flaw affects Adobe Acrobat and Reader on both Windows and macOS platforms (Talos Report, Adobe Advisory).

The vulnerability exists in the OpenType font format processing, specifically in the Color Palette Table (CPAL) handling. The issue occurs when the value of max(colorRecordIndices) + numPaletteEntries is greater than numColorRecords, leading to an out-of-bounds read condition. The vulnerability has been assigned CWE-125 (Out-of-bounds Read) and has a CVSS v3.1 Base Score of 5.5 MEDIUM (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) (Talos Report).

The vulnerability could lead to disclosure of sensitive memory contents. Due to complex interactions between PDF reader and font subcomponents, especially with the JavaScript engine present, the disclosed memory contents could potentially aid in further exploitation and bypass exploit mitigations such as ASLR (Talos Report).

Adobe has released patches to address this vulnerability through their security bulletin APSB24-07. Users are advised to update to the latest version of Adobe Acrobat and Reader (Adobe Advisory).