# Talos Vulnerability Report ### TALOS-2025-2159 ## Adobe Acrobat Reader Font CFF2 PrivateDict vsindex Out-Of-Bounds Read Vulnerability ##### June 11, 2025 ##### CVE Number CVE-2025-43578 ##### SUMMARY An out-of-bounds read vulnerability exists in the Font functionality of Adobe Acrobat Reader 2025.001.20435. A specially crafted font file embedded into a PDF can trigger this vulnerability which can lead to disclosure of sensitive information. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. ##### CONFIRMED VULNERABLE VERSIONS The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor. Adobe Acrobat Reader 2025.001.20435 ##### PRODUCT URLS Acrobat Reader - https://acrobat.adobe.com/us/en/acrobat/pdf-reader.html ##### CVSSv3 SCORE 6.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N ##### CWE CWE-839 - Numeric Range Comparison Without Minimum Check ##### DETAILS Adobe Acrobat Reader is one of the most popular and feature-rich PDF readers on the market. It has a large user base and is usually a default PDF reader on systems. It also integrates into web browsers as a plugin for rendering PDFs. Adobe Acrobat supports parsing of embedded font files in the PDF. This vulnerability is related to OpenType font format. An OpenType font file starts with a table directory (`TableDirectory` ) followed by one or more table record (`TableRecord`) entries. The structure of `TableDirectory` is as follows: Offset Size Name ------ ----- -------------------------------------- 0x00 0x04 sfntVersion (0x00010000 or 0x4F54544F ) 0x04 0x02 numTables 0x06 0x02 searchRange 0x08 0x02 entrySelector 0x0c 0x02 rangeShift If the value of the `sfntVersion` field is `0x00010000` or `0x74727565` , the font contains TrueType data. The CFF data will be present if the value of `sfntVersion` is `0x4F54544F` (‘OTTO). The `numTables` field specifies the number of `TableRecord` entries present in the font file. The structure of a `TableRecord` entry is as follows: Offset Size Name ------ ----- ---------------------------------- 0x00 0x04 tableTag 0x04 0x04 tableChecksum 0x08 0x04 tableOffset 0x0C 0x04 tablelength `tableTag` is the name of `TableRecord`. The `tableOffset` field specifies the offset of the table from the beginning of the file. The `tablelength` indicates the length of the table. The structure of each `TableRecord` depends on the type table, which is defined by the `tableTag`. This vulnerability is related to the `CFF2` table. For the `CFF2` table, the value of the `tableTag` field is the string `CFF2`. `CFF2` stands for Compact Font Format version 2 table. It is used to store and represent glyph outlines and other related data for OpenType fonts. A `CFF2` table starts with a table header, followed by `Top DICT`, `Global Subr INDEX`, `VariationStore` and so on. The structure of the `CFF2` table header is as follows: Offset Size Name ------ ----- -------------------------------------- 0x00 0x01 cff2MajorVersion 0x01 0x01 cfff2MinorVersion 0x02 0x01 cff2HeaderSize 0x03 0x02 topDictLength Here, the `topDictLength` field indicates the length of the `Top DICT` data in bytes. The `Top DICT` data is a dictionary data comprising key-value pairs, where the key is a 1- or 2-byte operator and the dictionary value is encoded as a variable-size numeric operand. The important thing to note here is that in `Top DICT` data, an operator is preceded by the operand(s) that specify its value. The following table indicates various types of operators `Top DICT` data may contain: Operator Name Operator Value Operand type and meaning ---------------------------------------------------------------------------------------------------------- CharStrings 0x11 number and it gives CharStrings INDEX offset, from start of the CFF2 table. vstore 0x18 number and it specifies VariationStore structure offset, from start of the CFF2 table. FontDICTINDEXOffset 0x0C 0x24 number and it gives FontDICT (FD) INDEX offset, from start of the CFF2 table. FontDICTSelectOffset 0x0C 0x25 number and it specifies offset to the FontDICTSelect subtable, from start of the CFF2 table. FontMatrix 0x0c 0x07 array and default value is (0.001 0 0 0.001 0 0) For this vulnerability, the `vstore` and `FontDICTINDEXOffset` operators play crucial roles. The byte value of the `vstore` operator is `0x18`. Its operand specifies the offset to the `VariationStore` structure from the start of the CFF2 table. Similarly, the byte value of the `FontDICTINDEXOffset` operator is `0x0C24`. The operand for this operator provides the offset to the `FontDICTINDEX` structure from the beginning of the CFF2 table. The operand value is encoded and can be decoded using the following pseudo Python code: # usage: decode_integer(b"\x1d\x00\x00\x00\x8a") def decode_integer(data): first_byte = data[0] if 32 <= first_byte <= 246: return first_byte - 139 elif 247 <= first_byte <= 250: return (first_byte - 247) * 256 + data[1] + 108 elif 251 <= first_byte <= 254: return -(first_byte - 251) * 256 - data[1] - 108 elif first_byte == 28: return data[1] * 256 + data[2] elif first_byte == 29: return (data[1] << 24) + (data[2] << 16) + (data[3] << 8) + data[4] In our case, the `Top DICT` data contains four operators, and the content of the `Top DICT` data is as follows: F7 35 0C 25 => (operator: FontDICTSelectOffset, operand after encoding: 0xA1) 1D 00 00 17 BC 0C 24 => (operator: FontDICTINDEXOffset, operand after encoding: 0x17BC) F7 40 11 => (operator: CharStrings, operand after encoding: 0xac) A4 18 => (operator: vstore, operand after encoding: 0x19) The fourth entry of the `Top DICT` data signifies that it contains the `VariationStore`, which begins at an offset of `0x19` from the start of the CFF2 table. The structure of the `VariationStore` is as follows: Offset Size Name -------------------------------------------------------------- 0x00 0x02 Length 0x02 0x02 Format 0x04 0x04 variationRegionListOffset 0x06 0x02 itemVariationDataCount (N) 0x08 0x04 * N itemVariationDataOffsets[N] `Length` indicates the total size in bytes of the `Item Variation Store`. The `Item Variation Store` structure begins with the `Format` field. The `itemVariationDataCount` is crucial, as it specifies the number of `item variation data` subtables. The second entry of the `Top DICT` data indicates that it contains the `FontDICTINDEX`, which starts at an offset of `0x17BC` from the beginning of the CFF2 table. The `FontDICTINDEX` consists of a header followed by an array of `FontDICT` tables. The structure of the `FontDICTINDEX` header is as follows: Offset Size Name -------------------------------------------------------------- 0x00 0x04 FontDICTCount (M) 0x04 0x01 FontDICTOffsetSize (L) 0x04 (N+1)*M FontDICTOffsets `FontDICTCount` specifies the number of `FontDICT` entries stored in the `FontDICTINDEX`. `FontDICTOffsets` is an offset array, with the total size of the array being `(FontDICTCount + 1) * FontDICTOffsetSize` bytes. The size of each element in the offset array is determined by `FontDICTOffsetSize`. Offsets within the array are relative to the byte preceding the `FontDICT`. In our case, `FontDICTCount` is `0x02`, indicating that two `FontDICT` entries are present. Their values are: FontDict-1 => F7 24 1D 00 00 17 D4 12 (PrivateDICTSize=0x90, PrivateDICTOffset=0x17d4) FontDict-2 => F7 08 1D 00 00 18 44 12 (PrivateDICTSize=0x74, PrivateDICTOffset=0x1844) The operand of a `Font Dict` contains the size (`PrivateDICTSize`) and offset (`PrivateDICTOffset`). These values can be calculated using the `decode_integer` function mentioned earlier. Here, `PrivateDICTOffset` indicates the offset of the `PrivateDICT` from the start of the `CFF2` table. The operator value for `FontDict` must be `0x12`. The structure of `PrivateDICT` is same as `Top DICT`. Note that the `operands` type is defined by the corresponding `operator` value. The following table indicates various types of operators `PrivateDICT` data may contain: Operator Value Operator Name Operator Purpose ------------------------------------------------------------ 0x13 LocalSubrINDEXOffset subroutines 0x16 vsindex variation 0x17 blend variation 0x06 BlueValues hinting 0x07 OtherBlues hinting 0x08 FamilyBlues hinting 0x09 FamilyOtherBlues hinting 0x0c09 BlueScale hinting 0x0c0a BlueShift hinting 0x0c0b BlueFuzz hinting 0x0a StdHW hinting 0x0b StdVW hinting 0x0c0c StemSnapH hinting 0x0c0d StemSnapV hinting 0x0c11 LanguageGroup hinting 0x0c12 ExpansionFactor hinting Here, the `vsindex` `PrivateDICT` operator is important. It contains only a single operand, `ivd`, which specifies the index for the `ItemVariationData` structure to be used. This vulnerability occurs when the value of `ivd` is greater than or equal to `itemVariationDataCount`. The following code is related to the processing of `vstore` as observed in the debugger (with PageHeap enabled): :000> p Time Travel Position: 3D82BE:1CE2 eax=0000000c ebx=9e104570 ecx=00000004 edx=00005510 esi=000031f0 edi=9e104570 eip=6d725517 esp=00afc114 ebp=00afc134 iopl=0 nv up ei pl nz ac pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216 CoolType!CTGetVersion+0xcaa97: 6d725517 57 push edi 0:000> p Time Travel Position: 3D82BE:1CE3 eax=0000000c ebx=9e104570 ecx=00000004 edx=00005510 esi=000031f0 edi=9e104570 eip=6d725518 esp=00afc110 ebp=00afc134 iopl=0 nv up ei pl nz ac pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216 CoolType!CTGetVersion+0xcaa98: 6d725518 e8e5d6ffff call CoolType!CTGetVersion+0xc8182 (6d722c02) ;<--------------------- (1) 0:000> p Time Travel Position: 3D82BE:1CFD eax=00000001 ebx=9e104570 ecx=00000001 edx=00005510 esi=000031f0 edi=9e104570 eip=6d72551d esp=00afc110 ebp=00afc134 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 CoolType!CTGetVersion+0xcaa9d: 6d72551d 66898738020000 mov word ptr [edi+238h],ax ds:002b:9e1047a8=ffff ;<--------------------- (2) 0:000> p Time Travel Position: 3D82BE:1CFE eax=00000001 ebx=9e104570 ecx=00000001 edx=00005510 esi=000031f0 edi=9e104570 eip=6d725524 esp=00afc110 ebp=00afc134 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 CoolType!CTGetVersion+0xcaaa4: 6d725524 0fb7c0 movzx eax,ax 0:000> p Time Travel Position: 3D82BE:1CFF eax=00000001 ebx=9e104570 ecx=00000001 edx=00005510 esi=000031f0 edi=9e104570 eip=6d725527 esp=00afc110 ebp=00afc134 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 CoolType!CTGetVersion+0xcaaa7: 6d725527 c1e004 shl eax,4 ;<----------------------- (3) 0:000> p Time Travel Position: 3D82BE:1D00 eax=00000010 ebx=9e104570 ecx=00000001 edx=00005510 esi=000031f0 edi=9e104570 eip=6d72552a esp=00afc110 ebp=00afc134 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 CoolType!CTGetVersion+0xcaaaa: 6d72552a 50 push eax 0:000> p Time Travel Position: 3D82BE:1D01 eax=00000010 ebx=9e104570 ecx=00000001 edx=00005510 esi=000031f0 edi=9e104570 eip=6d72552b esp=00afc10c ebp=00afc134 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 CoolType!CTGetVersion+0xcaaab: 6d72552b e8a606e5ff call CoolType!CTInit+0x2556 (6d575bd6) ;<----------------------- (4) :000> p Time Travel Position: 3D82C2:115B eax=af9f2ff0 ebx=9e104570 ecx=6d575bfe edx=00000000 esi=000031f0 edi=9e104570 eip=6d725530 esp=00afc10c ebp=00afc134 iopl=0 nv up ei ng nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000286 CoolType!CTGetVersion+0xcaab0: 6d725530 89873c020000 mov dword ptr [edi+23Ch],eax ds:002b:9e1047ac=00000000 0:000> dd eax ;<----------------------- (5) af9f2ff0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0 af9f3000 ???????? ???????? ???????? ???????? [...] 0:000> p Time Travel Position: 3D82CD:1C3C eax=00000008 ebx=00000000 ecx=00008000 edx=00afbfdc esi=af9f2ff0 edi=9e104570 eip=6d72562a esp=00afc114 ebp=00afc134 iopl=0 nv up ei pl nz ac pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216 CoolType!CTGetVersion+0xcabaa: 6d72562a 663bc1 cmp ax,cx 0:000> p Time Travel Position: 3D82CD:1C3D eax=00000008 ebx=00000000 ecx=00008000 edx=00afbfdc esi=af9f2ff0 edi=9e104570 eip=6d72562d esp=00afc114 ebp=00afc134 iopl=0 ov up ei ng nz na po cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000a83 CoolType!CTGetVersion+0xcabad: 6d72562d 0f87e3000000 ja CoolType!CTGetVersion+0xcac96 (6d725716) [br=0] 0:000> db af9f2ff0 ;<----------------------- (6) af9f2ff0 00 00 00 00 08 00 c0 c0-00 00 00 00 c0 c0 c0 c0 ................ af9f3000 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? At `(1)`, a method is called to read the `itemVariationDataCount` field of the `VariationStore` structure. The value of `itemVariationDataCount` is `0x01`, which can be observed at `(2)`. A buffer size is calculated using `itemVariationDataCount` at `(3)`. At `(4)`, a method calls `malloc` to allocate the vulnerable buffer. The value of the vulnerable buffer is examined at `(5)`. The buffer is used to store the `item variation data` subtable, and its value can be observed at `(6)` after initialization. After processing `vstore`, the application eventually processes the second `PrivateDICT`, which contains the malformed `vsindex` operator. 0:000> g eax=00000000 ebx=ba1bd3ec ecx=00000000 edx=b02cefc8 esi=9e104570 edi=b6e177e4 eip=6d7231ba esp=00afb828 ebp=00afb83c iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 CoolType!CTGetVersion+0xc873a: 6d7231ba 8b8e44230000 mov ecx,dword ptr [esi+2344h] ds:002b:9e1068b4=b7558e00 0:000> p Time Travel Position: 3D8519:1C40 eax=00000000 ebx=ba1bd3ec ecx=b7558e00 edx=b02cefc8 esi=9e104570 edi=b6e177e4 eip=6d7231c0 esp=00afb828 ebp=00afb83c iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 CoolType!CTGetVersion+0xc8740: 6d7231c0 8bc1 mov eax,ecx 0:000> db ecx ;<----------------------- (7) b7558e00 fc 39 9a 1d 00 00 05 d6-9a 88 a3 7d 8d 8e 81 76 .9.........}...v b7558e10 82 8b 8b 8b 8b 8b 8b 8b-8b 69 94 93 75 8e 9d a6 .........i..u... b7558e20 99 8b 8b 8b 8b 8b 8b 8b-8b 8f 17 16 07 1e a0 37 ...............7 b7558e30 5f 8b ab 1e a0 09 37 5f-8b 8b 8b 8b 8b 8c 17 0c _.....7_........ b7558e40 09 8b 0c 0b b9 74 9c 9d-75 88 9c 8a 7a 8c 17 0a .....t..u...z... b7558e50 e0 52 f4 96 79 84 99 8e-7f 8c 17 0b b9 46 b3 8c .R..y........F.. b7558e60 63 96 a7 79 7f 0c 0c e0-fb 22 f7 36 2d 6e 96 a0 c..y.....".6-n.. b7558e70 80 7c 0c 0d 00 01 00 00-00 0a 00 30 00 3e 00 04 .|.........0.>.. [...] 0:000> p Time Travel Position: 3D8519:1C60 eax=b7558e01 ebx=00000000 ecx=00000001 edx=b02ceffc esi=9e104570 edi=000000fc eip=6d724562 esp=00afb828 ebp=00afb83c iopl=0 nv up ei ng nz na po cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000283 CoolType!CTGetVersion+0xc9ae2: 6d724562 8a10 mov dl,byte ptr [eax] ds:002b:b7558e01=39 0:000> p Time Travel Position: 3D8519:1C61 eax=b7558e01 ebx=00000000 ecx=00000001 edx=b02cef39 esi=9e104570 edi=000000fc eip=6d724564 esp=00afb828 ebp=00afb83c iopl=0 nv up ei ng nz na po cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000283 CoolType!CTGetVersion+0xc9ae4: 6d724564 40 inc eax 0:000> p Time Travel Position: 3D8519:1C62 eax=b7558e02 ebx=00000000 ecx=00000001 edx=b02cef39 esi=9e104570 edi=000000fc eip=6d724565 esp=00afb828 ebp=00afb83c iopl=0 nv up ei ng nz na po cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000283 CoolType!CTGetVersion+0xc9ae5: 6d724565 898644230000 mov dword ptr [esi+2344h],eax ds:002b:9e1068b4=b7558e01 0:000> p Time Travel Position: 3D8519:1C63 eax=b7558e02 ebx=00000000 ecx=00000001 edx=b02cef39 esi=9e104570 edi=000000fc eip=6d72456b esp=00afb828 ebp=00afb83c iopl=0 nv up ei ng nz na po cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000283 CoolType!CTGetVersion+0xc9aeb: 6d72456b c1e708 shl edi,8 0:000> p Time Travel Position: 3D8519:1C64 eax=b7558e02 ebx=00000000 ecx=00000001 edx=b02cef39 esi=9e104570 edi=0000fc00 eip=6d72456e esp=00afb828 ebp=00afb83c iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206 CoolType!CTGetVersion+0xc9aee: 6d72456e b994fa0000 mov ecx,0FA94h 0:000> p Time Travel Position: 3D8519:1C65 eax=b7558e02 ebx=00000000 ecx=0000fa94 edx=b02cef39 esi=9e104570 edi=0000fc00 eip=6d724573 esp=00afb828 ebp=00afb83c iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206 CoolType!CTGetVersion+0xc9af3: 6d724573 2bcf sub ecx,edi 0:000> p Time Travel Position: 3D8519:1C66 eax=b7558e02 ebx=00000000 ecx=fffffe94 edx=b02cef39 esi=9e104570 edi=0000fc00 eip=6d724575 esp=00afb828 ebp=00afb83c iopl=0 nv up ei ng nz na po cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000283 CoolType!CTGetVersion+0xc9af5: 6d724575 0fb6c2 movzx eax,dl 0:000> p Time Travel Position: 3D8519:1C67 eax=00000039 ebx=00000000 ecx=fffffe94 edx=b02cef39 esi=9e104570 edi=0000fc00 eip=6d724578 esp=00afb828 ebp=00afb83c iopl=0 nv up ei ng nz na po cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000283 CoolType!CTGetVersion+0xc9af8: 6d724578 2bc8 sub ecx,eax 0:000> p Time Travel Position: 3D8519:1C68 eax=00000039 ebx=00000000 ecx=fffffe5b edx=b02cef39 esi=9e104570 edi=0000fc00 eip=6d72457a esp=00afb828 ebp=00afb83c iopl=0 nv up ei ng nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000292 CoolType!CTGetVersion+0xc9afa: 6d72457a 898cde8c020000 mov dword ptr [esi+ebx*8+28Ch],ecx ds:002b:9e1047fc=fffffe5b ;<----------------------- (8) Evaluate expression: -421 = fffffe5b [...] 0:000> g- compare to switch Time Travel Position: 3D851D:DD8 eax=000000f7 ebx=ba1bd3ec ecx=b7558e2b edx=b6e17716 esi=9e104570 edi=00000016 eip=6d723207 esp=00afb828 ebp=00afb83c iopl=0 nv up ei ng nz ac po cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000293 CoolType!CTGetVersion+0xc8787: 6d723207 83ff1f cmp edi,1Fh ;<----------------------- (9) 0:000> p Time Travel Position: 3D851D:DD9 eax=000000f7 ebx=ba1bd3ec ecx=b7558e2b edx=b6e17716 esi=9e104570 edi=00000016 eip=6d72320a esp=00afb828 ebp=00afb83c iopl=0 nv up ei ng nz ac po cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000293 CoolType!CTGetVersion+0xc878a: 6d72320a 0f87a5130000 ja CoolType!CTGetVersion+0xc9b35 (6d7245b5) [br=0] 0:000> p Time Travel Position: 3D851D:DDA eax=000000f7 ebx=ba1bd3ec ecx=b7558e2b edx=b6e17716 esi=9e104570 edi=00000016 eip=6d723210 esp=00afb828 ebp=00afb83c iopl=0 nv up ei ng nz ac po cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000293 CoolType!CTGetVersion+0xc8790: 6d723210 ff24bd5346726d jmp dword ptr CoolType!CTGetVersion+0xc9bd3 (6d724653)[edi*4] ds:002b:6d7246ab=6d724147 0:000> p Time Travel Position: 3D851D:DDB eax=000000f7 ebx=ba1bd3ec ecx=b7558e2b edx=b6e17716 esi=9e104570 edi=00000016 eip=6d724147 esp=00afb828 ebp=00afb83c iopl=0 nv up ei ng nz ac po cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000293 CoolType!CTGetVersion+0xc96c7: 6d724147 807e5c02 cmp byte ptr [esi+5Ch],2 ds:002b:9e1045cc=02 0:000> p Time Travel Position: 3D851D:DDC eax=000000f7 ebx=ba1bd3ec ecx=b7558e2b edx=b6e17716 esi=9e104570 edi=00000016 eip=6d72414b esp=00afb828 ebp=00afb83c iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 CoolType!CTGetVersion+0xc96cb: 6d72414b 0f853f040000 jne CoolType!CTGetVersion+0xc9b10 (6d724590) [br=0] 0:000> p Time Travel Position: 3D851D:DDD eax=000000f7 ebx=ba1bd3ec ecx=b7558e2b edx=b6e17716 esi=9e104570 edi=00000016 eip=6d724151 esp=00afb828 ebp=00afb83c iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 CoolType!CTGetVersion+0xc96d1: 6d724151 8b45fc mov eax,dword ptr [ebp-4] ss:002b:00afb838=ba1bd3c4 0:000> p Time Travel Position: 3D851D:DDE eax=ba1bd3c4 ebx=ba1bd3ec ecx=b7558e2b edx=b6e17716 esi=9e104570 edi=00000016 eip=6d724154 esp=00afb828 ebp=00afb83c iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 CoolType!CTGetVersion+0xc96d4: 6d724154 8b8028920000 mov eax,dword ptr [eax+9228h] ds:002b:ba1c65ec=af8e0fe8 0:000> p Time Travel Position: 3D851D:DDF eax=af8e0fe8 ebx=ba1bd3ec ecx=b7558e2b edx=b6e17716 esi=9e104570 edi=00000016 eip=6d72415a esp=00afb828 ebp=00afb83c iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 CoolType!CTGetVersion+0xc96da: 6d72415a 85c0 test eax,eax 0:000> p Time Travel Position: 3D851D:DE0 eax=af8e0fe8 ebx=ba1bd3ec ecx=b7558e2b edx=b6e17716 esi=9e104570 edi=00000016 eip=6d72415c esp=00afb828 ebp=00afb83c iopl=0 nv up ei ng nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000286 CoolType!CTGetVersion+0xc96dc: 6d72415c 740d je CoolType!CTGetVersion+0xc96eb (6d72416b) [br=0] 0:000> p Time Travel Position: 3D851D:DE1 eax=af8e0fe8 ebx=ba1bd3ec ecx=b7558e2b edx=b6e17716 esi=9e104570 edi=00000016 eip=6d72415e esp=00afb828 ebp=00afb83c iopl=0 nv up ei ng nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000286 CoolType!CTGetVersion+0xc96de: 6d72415e 33c9 xor ecx,ecx 0:000> p Time Travel Position: 3D851D:DE2 eax=af8e0fe8 ebx=ba1bd3ec ecx=00000000 edx=b6e17716 esi=9e104570 edi=00000016 eip=6d724160 esp=00afb828 ebp=00afb83c iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 CoolType!CTGetVersion+0xc96e0: 6d724160 41 inc ecx 0:000> p Time Travel Position: 3D851D:DE3 eax=af8e0fe8 ebx=ba1bd3ec ecx=00000001 edx=b6e17716 esi=9e104570 edi=00000016 eip=6d724161 esp=00afb828 ebp=00afb83c iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 CoolType!CTGetVersion+0xc96e1: 6d724161 66394802 cmp word ptr [eax+2],cx ds:002b:af8e0fea=0000 0:000> p Time Travel Position: 3D851D:DE4 eax=af8e0fe8 ebx=ba1bd3ec ecx=00000001 edx=b6e17716 esi=9e104570 edi=00000016 eip=6d724165 esp=00afb828 ebp=00afb83c iopl=0 nv up ei ng nz ac pe cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000297 CoolType!CTGetVersion+0xc96e5: 6d724165 0f8425040000 je CoolType!CTGetVersion+0xc9b10 (6d724590) [br=0] [...] 0:000> p Time Travel Position: 3D851D:DE8 eax=00000001 ebx=ba1bd3ec ecx=00000001 edx=b6e17716 esi=9e104570 edi=00000016 eip=6d724174 esp=00afb828 ebp=00afb83c iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206 CoolType!CTGetVersion+0xc96f4: 6d724174 7d16 jge CoolType!CTGetVersion+0xc970c (6d72418c) [br=1] 0:000> p Time Travel Position: 3D851D:DE9 eax=00000001 ebx=ba1bd3ec ecx=00000001 edx=b6e17716 esi=9e104570 edi=00000016 eip=6d72418c esp=00afb828 ebp=00afb83c iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206 CoolType!CTGetVersion+0xc970c: 6d72418c 83be8802000000 cmp dword ptr [esi+288h],0 ds:002b:9e1047f8=00000001 0:000> p Time Travel Position: 3D851D:DEA eax=00000001 ebx=ba1bd3ec ecx=00000001 edx=b6e17716 esi=9e104570 edi=00000016 eip=6d724193 esp=00afb828 ebp=00afb83c iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 CoolType!CTGetVersion+0xc9713: 6d724193 7408 je CoolType!CTGetVersion+0xc971d (6d72419d) [br=0] 0:000> p Time Travel Position: 3D851D:DEB eax=00000001 ebx=ba1bd3ec ecx=00000001 edx=b6e17716 esi=9e104570 edi=00000016 eip=6d724195 esp=00afb828 ebp=00afb83c iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 CoolType!CTGetVersion+0xc9715: 6d724195 8b868c020000 mov eax,dword ptr [esi+28Ch] ds:002b:9e1047fc=fffffe5b ;<----------------------- (10) 0:000> t Time Travel Position: 3D851D:DEC eax=fffffe5b ebx=ba1bd3ec ecx=00000001 edx=b6e17716 esi=9e104570 edi=00000016 eip=6d72419b esp=00afb828 ebp=00afb83c iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 CoolType!CTGetVersion+0xc971b: 6d72419b eb08 jmp CoolType!CTGetVersion+0xc9725 (6d7241a5) 0:000> t Time Travel Position: 3D851D:DED eax=fffffe5b ebx=ba1bd3ec ecx=00000001 edx=b6e17716 esi=9e104570 edi=00000016 eip=6d7241a5 esp=00afb828 ebp=00afb83c iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 CoolType!CTGetVersion+0xc9725: 6d7241a5 50 push eax 0:000> t Time Travel Position: 3D851D:DEE eax=fffffe5b ebx=ba1bd3ec ecx=00000001 edx=b6e17716 esi=9e104570 edi=00000016 eip=6d7241a6 esp=00afb824 ebp=00afb83c iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 CoolType!CTGetVersion+0xc9726: 6d7241a6 56 push esi 0:000> t Time Travel Position: 3D851D:DEF eax=fffffe5b ebx=ba1bd3ec ecx=00000001 edx=b6e17716 esi=9e104570 edi=00000016 eip=6d7241a7 esp=00afb820 ebp=00afb83c iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 CoolType!CTGetVersion+0xc9727: 6d7241a7 89835c010000 mov dword ptr [ebx+15Ch],eax ds:002b:ba1bd548=00000000;<----------------------- (11) 0:000> t Time Travel Position: 3D851D:DF0 eax=fffffe5b ebx=ba1bd3ec ecx=00000001 edx=b6e17716 esi=9e104570 edi=00000016 eip=6d7241ad esp=00afb820 ebp=00afb83c iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 CoolType!CTGetVersion+0xc972d: 6d7241ad e8e0210000 call CoolType!CTGetVersion+0xcb912 (6d726392) [...] :0:000> p Time Travel Position: 3D851D:1E0E eax=00000001 ebx=ba1bd3c4 ecx=fffffe5b edx=b02cefc8 esi=9e104570 edi=9e104570 eip=6d71ffab esp=00afb7f4 ebp=00afb81c iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206 CoolType!CTGetVersion+0xc552b: 6d71ffab 8bb384010000 mov esi,dword ptr [ebx+184h] ds:002b:ba1bd548=fffffe5b ;<----------------------- (12) 0:000> p Breakpoint 0 hit Time Travel Position: 3D851D:1E0F eax=00000001 ebx=ba1bd3c4 ecx=fffffe5b edx=b02cefc8 esi=fffffe5b edi=9e104570 eip=6d71ffb1 esp=00afb7f4 ebp=00afb81c iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206 CoolType!CTGetVersion+0xc5531: 6d71ffb1 3bf0 cmp esi,eax ;<----------------------- (13) 0:000> p Time Travel Position: 3D851D:1E10 eax=00000001 ebx=ba1bd3c4 ecx=fffffe5b edx=b02cefc8 esi=fffffe5b edi=9e104570 eip=6d71ffb3 esp=00afb7f4 ebp=00afb81c iopl=0 nv up ei ng nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000286 CoolType!CTGetVersion+0xc5533: 6d71ffb3 0f8db8010000 jge CoolType!CTGetVersion+0xc56f1 (6d720171) [br=0] ;<----------------------- (14) [..] :000> p Time Travel Position: 3D851D:1E16 eax=af9f2ff0 ebx=ba1bd3c4 ecx=af8e0fe8 edx=b02cefc8 esi=fffffe5b edi=9e104570 eip=6d71ffd5 esp=00afb7f4 ebp=00afb81c iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 CoolType!CTGetVersion+0xc5555: 6d71ffd5 85c0 test eax,eax 0:000> p Time Travel Position: 3D851D:1E17 eax=af9f2ff0 ebx=ba1bd3c4 ecx=af8e0fe8 edx=b02cefc8 esi=fffffe5b edi=9e104570 eip=6d71ffd7 esp=00afb7f4 ebp=00afb81c iopl=0 nv up ei ng nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000286 CoolType!CTGetVersion+0xc5557: 6d71ffd7 0f8494010000 je CoolType!CTGetVersion+0xc56f1 (6d720171) [br=0] 0:000> p Time Travel Position: 3D851D:1E18 eax=af9f2ff0 ebx=ba1bd3c4 ecx=af8e0fe8 edx=b02cefc8 esi=fffffe5b edi=9e104570 eip=6d71ffdd esp=00afb7f4 ebp=00afb81c iopl=0 nv up ei ng nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000286 CoolType!CTGetVersion+0xc555d: 6d71ffdd 83bf4402000000 cmp dword ptr [edi+244h],0 ds:002b:9e1047b4=b6debfe0 0:000> p Time Travel Position: 3D851D:1E19 eax=af9f2ff0 ebx=ba1bd3c4 ecx=af8e0fe8 edx=b02cefc8 esi=fffffe5b edi=9e104570 eip=6d71ffe4 esp=00afb7f4 ebp=00afb81c iopl=0 nv up ei ng nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000282 CoolType!CTGetVersion+0xc5564: 6d71ffe4 0f8487010000 je CoolType!CTGetVersion+0xc56f1 (6d720171) [br=0] 0:000> p Time Travel Position: 3D851D:1E1A eax=af9f2ff0 ebx=ba1bd3c4 ecx=af8e0fe8 edx=b02cefc8 esi=fffffe5b edi=9e104570 eip=6d71ffea esp=00afb7f4 ebp=00afb81c iopl=0 nv up ei ng nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000282 CoolType!CTGetVersion+0xc556a: 6d71ffea c1e604 shl esi,4 ;<----------------------- (15) 0:000> p Time Travel Position: 3D851D:1E1B eax=af9f2ff0 ebx=ba1bd3c4 ecx=af8e0fe8 edx=b02cefc8 esi=ffffe5b0 edi=9e104570 eip=6d71ffed esp=00afb7f4 ebp=00afb81c iopl=0 nv up ei ng nz na po cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000283 CoolType!CTGetVersion+0xc556d: 6d71ffed 03f0 add esi,eax ;<----------------------- (16) 0:000> dd eax af9f2ff0 00000000 c0c00008 b64cfff0 c0c0c0c0 af9f3000 ???????? ???????? ???????? ???????? af9f3010 ???????? ???????? ???????? ???????? af9f3020 ???????? ???????? ???????? ???????? af9f3030 ???????? ???????? ???????? ???????? af9f3040 ???????? ???????? ???????? ???????? af9f3050 ???????? ???????? ???????? ???????? af9f3060 ???????? ???????? ???????? ???????? The buffer examined at `(7)` contains the second `PrivateDICT`. Bytes within `PrivateDICT` pass through a switch condition; if they do not match the operator value, they are decoded as operands using the logic defined in the `decode_integer` function. The first decoded operand value is `0xfffffe5b`, as observed at `(8)`. The first operator value is `0x16`, present in the register `edi`, indicating the operator type is `vsindex`, as seen at `(9)`. At `(10)`, the first decoded operand is passed to the register and later saved as `ivd` at `(11)`. At `(13)`, `esi` contains `ivd`, and `eax` holds the value of `itemVariationDataCount`. The jump at `(14)` does not occur due to the signed comparison failing. Later, at `(15)`, `ivd` is used as an index to calculate the offset and is appended to the vulnerable buffer at `(16)`. Accessing this buffer results in an out-of-bounds read, which can be observed at the time of the crash. 0:000> p (12b8.a78): Access violation - code c0000005 (first/second chance not available) First chance exceptions are reported before any exception handling. This exception may be expected and handled. Time Travel Position: 3D851E:0 eax=af9f2ff0 ebx=ba1bd3c4 ecx=af8e0fe8 edx=b02cefc8 esi=af9f15a0 edi=9e104570 eip=6d71fff2 esp=00afb7f4 ebp=00afb81c iopl=0 nv up ei ng nz na pe cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000287 CoolType!CTGetVersion+0xc5572: 6d71fff2 0fb74604 movzx eax,word ptr [esi+4] ds:002b:af9f15a4=???? 0:000> dd af9f15a4 af9f15a4 ???????? ???????? ???????? ???????? af9f15b4 ???????? ???????? ???????? ???????? af9f15c4 ???????? ???????? ???????? ???????? af9f15d4 ???????? ???????? ???????? ???????? af9f15e4 ???????? ???????? ???????? ???????? af9f15f4 ???????? ???????? ???????? ???????? af9f1604 ???????? ???????? ???????? ???????? af9f1614 ???????? ???????? ???????? ???????? 0:000> u CoolType!CTGetVersion+0xc5572: 6d71fff2 0fb74604 movzx eax,word ptr [esi+4] 6d71fff6 40 inc eax 6d71fff7 894114 mov dword ptr [ecx+14h],eax 6d71fffa 8b8328920000 mov eax,dword ptr [ebx+9228h] 6d720000 8b4014 mov eax,dword ptr [eax+14h] 6d720003 c1e002 shl eax,2 6d720006 50 push eax 6d720007 e8ca5be5ff call CoolType!CTInit+0x2556 (6d575bd6) 0:000> kb # ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 00 00afb81c 6d724241 9e104570 00000002 b6e177e0 CoolType!CTGetVersion+0xc5572 01 00afb83c 6d722bba 9e104570 b6e177e4 00000000 CoolType!CTGetVersion+0xc97c1 02 00afb864 6d6256e4 9e104570 00000001 00afbe30 CoolType!CTGetVersion+0xc813a 03 00afb8a0 6d5a2abe a47accac 00000001 00afbe30 CoolType!CTCleanup+0x4fc94 04 00afbbcc 6d5a12f0 00afbc60 00000001 00afbe20 CoolType!CTInit+0x2f43e 05 00afc6e0 6d59f95d 00000001 00000000 00000000 CoolType!CTInit+0x2dc70 06 00afc7b8 6d59eccd ae264da8 00000032 00afc88c CoolType!CTInit+0x2c2dd 07 00afd118 6d59e368 af3c68fc 00afd14c 48e4e71b CoolType!CTInit+0x2b64d 08 00afd474 6d59e27c af3c68fc af3c68e4 48e4e7df CoolType!CTInit+0x2ace8 09 00afd4b0 6daaa9a1 b1e78f30 af3c68fc af3c68e4 CoolType!CTInit+0x2abfc 0a 00afd4c4 6da6ea3e af3c68e4 6da6e880 98e18f30 AGM!AGMInitialize+0x50541 0b 00afd4d8 6da6e147 98e18f3c 6df01a50 00000001 AGM!AGMInitialize+0x145de 0c 00afd4fc 6daa9f98 00afd528 00afd544 00afd564 AGM!AGMInitialize+0x13ce7 0d 00afd510 6daa9fc4 00000001 26c00b34 00000000 AGM!AGMInitialize+0x4fb38 0e 00afd5c4 72597c55 08b510bc 00000000 00afd5ec AGM!AGMInitialize+0x4fb64 0f 00afd624 6daa9809 af3c6820 00afd6ec 3ab3a740 verifier!AVrfpDphExitHeapPath+0x15 10 00afd690 6daa8957 00afd79c af3c6820 00afd6ec AGM!AGMInitialize+0x4f3a9 11 00afd7b4 6e4f31c1 00afd824 9be36fcc a413cfe0 AGM!AGMInitialize+0x4e4f7 12 00afd828 6e4f306b 00afd9d0 a413cfe0 00afda64 AcroRd32!DllCanUnloadNow+0x1d8f21 13 00afd8a0 6e52d494 00afd9d0 a413cfe0 00afda64 AcroRd32!DllCanUnloadNow+0x1d8dcb 14 00afdbe0 6e528620 b0145000 00afdde0 6e528620 AcroRd32!DllCanUnloadNow+0x2131f4 15 00afddd8 6e52801e a4054a60 6e52801e 00afddf4 AcroRd32!DllCanUnloadNow+0x20e380 16 00afde34 6e524d9d 00afdedc a3c30f68 00000000 AcroRd32!DllCanUnloadNow+0x20dd7e 17 00afdf04 6e4ec84b fdf47bed a445ef78 00000000 AcroRd32!DllCanUnloadNow+0x20aafd 18 00afdfc0 6e518bfa 00000001 00000000 00000000 AcroRd32!DllCanUnloadNow+0x1d25ab 19 00afe010 6e50c10c a445ef78 00000001 00000000 AcroRd32!DllCanUnloadNow+0x1fe95a 1a 00afe190 6e50b734 a3554d88 6e50b734 a3554dbc AcroRd32!DllCanUnloadNow+0x1f1e6c 1b 00afe200 6e50867f fdf446ad 00000000 00000000 AcroRd32!DllCanUnloadNow+0x1f1494 1c 00afe280 6e50837d b1dfcef0 5f03ef40 a2728eb0 AcroRd32!DllCanUnloadNow+0x1ee3df 1d 00afe2bc 6e50827c b1dfcef0 5f03ef40 a2728eb0 AcroRd32!DllCanUnloadNow+0x1ee0dd 1e 00afe344 6e505d8f b1dfcef0 5f03ef40 00afe568 AcroRd32!DllCanUnloadNow+0x1edfdc 1f 00afe380 6e504664 b1dfcef0 5f03ef40 00afe568 AcroRd32!DllCanUnloadNow+0x1ebaef 20 00afe644 6e5032d8 b1dfcef0 00afe6d8 00afe728 AcroRd32!DllCanUnloadNow+0x1ea3c4 21 00afe748 6e5026cb b1dfcef0 00afe870 00000000 AcroRd32!DllCanUnloadNow+0x1e9038 22 00afe894 6e50152a b1dfcef0 00afe9ec 00000000 AcroRd32!DllCanUnloadNow+0x1e842b 23 00afe8f4 6e5012c5 b1dfcef0 00afe9ec 00000000 AcroRd32!DllCanUnloadNow+0x1e728a 24 00afe974 6e4fd6ef b1dfcef0 00afe9ec 00000000 AcroRd32!DllCanUnloadNow+0x1e7025 25 00afea38 6e4fd092 00000001 00000000 fdf44eb9 AcroRd32!DllCanUnloadNow+0x1e344f 26 00afea94 6e4fce38 b43c4ef0 00000001 fdf44ed5 AcroRd32!DllCanUnloadNow+0x1e2df2 27 00afeaf8 6e4fcbf1 00afebec fdf44821 5e4cef68 AcroRd32!DllCanUnloadNow+0x1e2b98 28 00afec0c 6e3537cd 0000000f 6e3536f0 5e4cef68 AcroRd32!DllCanUnloadNow+0x1e2951 29 00afec24 6e353679 0000000f 00000000 00000000 AcroRd32!DllCanUnloadNow+0x3952d 2a 00afec44 76d915eb 000408ac 0000000f 00000000 AcroRd32!DllCanUnloadNow+0x393d9 2b 00afec70 76d87cda 6e3535b0 000408ac 0000000f USER32!_InternalCallWinProc+0x2b 2c 00afed58 76d878f0 6e3535b0 00000000 0000000f USER32!UserCallWinProcCheckWow+0x33a 2d 00afedbc 76d8bdaf 0b0df640 00000000 0000000f USER32!DispatchClientMessage+0x190 2e 00afedf8 774c56cd 00afee14 00000020 00afee84 USER32!__fnDWORD+0x3f 2f 00afee30 76d866b8 00afeed4 91916c60 00afeed4 ntdll!KiUserCallbackDispatcher+0x4d 30 00afee94 76d860b0 0000000f 00afeeb8 6e36944a USER32!DispatchMessageWorker+0x5f8 31 00afeea0 6e36944a 00afeed4 354b5d88 354b5d88 USER32!DispatchMessageW+0x10 32 00afeeb8 6e3691fe 00afeed4 fdf44b01 354b5d88 AcroRd32!DllCanUnloadNow+0x4f1aa 33 00afef2c 6e3690a4 fdf44b49 354b5d88 00000000 AcroRd32!DllCanUnloadNow+0x4ef5e 34 00afef64 6e2dc39f fdf44bf5 1f1acf40 00000000 AcroRd32!DllCanUnloadNow+0x4ee04 35 00afefd8 6e2dbddc 6dfa0000 00e40000 1f1acf40 AcroRd32!AcroWinMainSandbox+0x74f 36 00aff3fc 0101a615 6dfa0000 00e40000 1f1acf40 AcroRd32!AcroWinMainSandbox+0x18c 37 00aff84c 01093c5a 00e40000 00000000 08b73e60 AcroRd32_exe!CreateCoreWebview2EnvironmentSandbox+0x113c55 38 00aff898 76b7fcc9 00993000 76b7fcb0 00aff904 AcroRd32_exe!AcroRd32IsBrokerProcess+0x1bc7a 39 00aff8a8 774b82ae 00993000 b7f5d512 00000000 KERNEL32!BaseThreadInitThunk+0x19 3a 00aff904 774b827e ffffffff 774d932d 00000000 ntdll!__RtlUserThreadStart+0x2f 3b 00aff914 00000000 01016580 00993000 00000000 ntdll!_RtlUserThreadStart+0x1b Using this vulnerability, it is possible to read arbitrary memory of the process. Because of complex interactions between PDF reader and font subcomponents, especially in the presence of a JavaScript engine, it is possible that sensitive contents of arbitrary memory could be disclosed, which could aid in further exploitation and exploit mitigation bypass. ##### TIMELINE 2025-03-31 - Vendor Disclosure 2025-06-10 - Vendor Patch Release 2025-06-11 - Public Release ##### Credit Discovered by KPC of Cisco Talos. * * * Vulnerability Reports Next Report TALOS-2025-2170 Previous Report TALOS-2024-2126

Query Builder