CVE-2025-27164: 
Adobe Acrobat Reader Continuous vulnerability analysis and mitigation

Adobe Acrobat Reader versions 24.001.30225, 20.005.30748, 25.001.20428 and earlier are affected by an out-of-bounds read vulnerability identified as CVE-2025-27164. The vulnerability was discovered by KPC of Cisco Talos and was disclosed to Adobe on January 22, 2025, with the patch being released on March 11, 2025 (Talos Report, NVD).

The vulnerability exists in the Font functionality of Adobe Acrobat Reader and is classified as an out-of-bounds read (CWE-125). The issue occurs when processing OpenType font files embedded in PDFs, specifically when handling CFF2 and maxp (Maximum Profile) tables. The vulnerability arises when the numGlyphs field in the maxp table is greater than the CharStringsCount, leading to potential out-of-bounds memory reads. The vulnerability has been assigned a CVSS 3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N (Talos Report).

Successful exploitation of this vulnerability could lead to disclosure of sensitive memory contents and potentially enable attackers to bypass security mitigations such as ASLR (Address Space Layout Randomization). The vulnerability could expose sensitive information from the process memory, which could be particularly dangerous given the complex interactions between the PDF reader and font subcomponents, especially in the presence of a JavaScript engine (NVD, Talos Report).

Adobe has released security updates to address this vulnerability. Users are advised to update their Adobe Acrobat Reader installations to the latest version that includes the security patch (Adobe Security).