CVE-2025-27163: 
Adobe Acrobat Reader Continuous vulnerability analysis and mitigation

Adobe Acrobat Reader versions 24.001.30225, 20.005.30748, 25.001.20428 and earlier are affected by an out-of-bounds read vulnerability identified as CVE-2025-27163. The vulnerability was discovered by KPC of Cisco Talos and publicly disclosed on March 11, 2025, after Adobe released patches. This security flaw exists in the Font functionality of Adobe Acrobat Reader and requires user interaction, specifically opening a malicious PDF file, to be exploited (Talos Report, NVD).

The vulnerability is an out-of-bounds read issue in the Font functionality, specifically related to the OpenType font format processing. The flaw occurs when handling the hhea and hmtx tables within font files. The vulnerability manifests when the numberOfHMetrics field value in the hhea table is inconsistent with the tableLength field of the hmtx table, specifically when N < 4 * numberOfHMetrics, where N is the value of the tableLength field. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N (Talos Report, NVD).

The successful exploitation of this vulnerability could lead to disclosure of sensitive memory information and potentially enable attackers to bypass security mitigations such as ASLR (Address Space Layout Randomization). Due to the complex interactions between the PDF reader and font subcomponents, including the JavaScript engine, the vulnerability could allow attackers to access and disclose sensitive contents from arbitrary memory locations (Talos Report, NVD).

Adobe has released security updates to address this vulnerability. Users are advised to update their Adobe Acrobat and Reader installations to the latest versions available through the official Adobe update channels (Adobe Security).