CVE-2024-39420: 
Adobe Acrobat Reader Continuous vulnerability analysis and mitigation

CVE-2024-39420 is a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability affecting Adobe Acrobat Reader versions 20.005.30636, 24.002.21005, 24.001.30159, 20.005.30655, 24.002.20965, 24.002.20964, 24.001.30123, 24.003.20054 and earlier. The vulnerability was discovered in August 2024 and affects both Windows and macOS operating systems (NVD, ASEC).

The vulnerability arises when the timing of actions changes the state of a resource between the checking of a condition and the use of the resource. Specifically, it occurs in the way Adobe Acrobat Reader handles an annotation object page property. The vulnerability involves a race condition in the CPDAnnot object that can lead to accessing an annotation buffer from a different page, potentially resulting in an out-of-bounds write condition. The vulnerability has been assigned a CVSS v3.1 base score of 7.0 HIGH (Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) (NVD, Talos).

Successful exploitation of this vulnerability could lead to arbitrary code execution in the context of the current user. Depending on the memory layout of the process, an attacker could potentially gain arbitrary read and write access to memory, which could ultimately be used to achieve arbitrary code execution (Talos).

Adobe has released patches to address this vulnerability. Users are advised to update to the following versions: Acrobat DC version 24.002.21005 (Windows, macOS), Acrobat Reader DC version 24.002.21005 (Windows, macOS), Acrobat 2024 version 24.001.30159 (Windows, macOS), Acrobat 2020 version 20.005.30655 (Windows, macOS), and Acrobat Reader 2020 version 20.005.30655 (Windows, MacOS) (ASEC).