CVE-2024-39382: 
Adobe After Effects vulnerability analysis and mitigation

Adobe After Effects versions 23.6.6, 24.5 and earlier are affected by an out-of-bounds read vulnerability (CVE-2024-39382). The vulnerability was discovered by Mat Powell of Trend Micro Zero Day Initiative and was publicly disclosed on September 10, 2024 (Vendor Advisory, ZDI Advisory).

The vulnerability exists within the parsing of AVI files and results from the lack of proper validation of user-supplied data, which can lead to a read past the end of an allocated object. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 MEDIUM (Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) by Adobe Systems Incorporated (NVD).

The vulnerability could lead to disclosure of sensitive memory and potentially allow an attacker to bypass mitigations such as ASLR. An attacker can leverage this vulnerability in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process (ZDI Advisory).

Adobe has released version 23.6.9 to address this vulnerability. Users are advised to update to the latest version of Adobe After Effects. The update is available through the Adobe Download Center (Vendor Advisory).