CVE-2025-27163
An out-of-bounds read vulnerability exists in the Font functionality of Adobe Acrobat Reader 2024.005.20320. A specially crafted font file embedded into a PDF can trigger this vulnerability which can lead to disclosure of sensitive information. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Adobe Acrobat Reader 2024.005.20320.
Acrobat Reader - https://acrobat.adobe.com/us/en/acrobat/pdf-reader.html
6.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CWE-125 - Out-of-bounds Read
Adobe Acrobat Reader is one of the most popular and feature-rich PDF readers on the market. It has a large user base and is usually a default PDF reader on systems. It also integrates into web browsers as a plugin for rendering PDFs.
Adobe acrobat supports parsing of embedded font files in the PDF. This vulnerability is related to OpenType font format. An OpenType font file starts with a table directory (TableDirectory ) followed by one or more table record (TableRecord) entries. The structure of TableDirectory is as follows:
Offset Size Name
------ ----- --------------------------------------
0x00 0x04 sfntVersion (0x00010000 or 0x4F54544F )
0x04 0x02 numTables
0x06 0x02 searchRange
0x08 0x02 entrySelector
0x0c 0x02 rangeShift
If the value of the sfntVersion field is 0x00010000 or 0x74727565, the font contains TrueType data. The CFF data will be present if the value of sfntVersion is 0x4F54544F (OTTO). The numTables field specifies the number of TableRecord entries present in the font file. The structure of a TableRecord entry is as follows:
Offset Size Name
------ ----- ----------------------------------
0x00 0x04 tableTag
0x04 0x04 tableChecksum
0x08 0x04 tableOffset
0x0C 0x04 tableLength
tableTag is the name of TableRecord. The tableOffset field specifies the offset of the table from the beginning of the file. The tableLength indicates the length of the table. The structure of each TableRecord depends on the type table, which is defined by the tableTag.
This vulnerability occurs when the font file contains hhea and hmtx tables. For the hhea table the value of the tableTag field is the string hhea and for the hmtx table, the value of the tableTag field is the string hmtx.
The hhea table is a horizontal header table that contains information for horizontal layout. For this vulnerability, the numberOfHMetrics field of the table is important. This field is 2 bytes in size and is located at the offset 0x22 from the start of the hhea table.
The numberOfHMetrics field indicates the number of hMetric entries in the hmtx table.
The hmtx table begins with hMetric entries, and each hMetric entry is 4 bytes in size.
This vulnerability occurs when N < 4 * numberOfHMetrics, where N is the value of the tableLength field of the hmtx table.
In our proof of concept (PoC), the numberOfHMetrics value is 0x09, and the length of the hmtx table is 0x0C. We can observe the following in the debugger (with PageHeap enabled):
0:002> g
Breakpoint 0 hit
Time Travel Position: 32B0FD:1499
eax=73430fd8 ebx=00000003 ecx=6e756701 edx=09000000 esi=6ea779e0 edi=68e10cac
eip=6e80ca76 esp=006fbe04 ebp=006fbe48 iopl=0 nv up ei ng nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000293
CoolType!CTCleanup+0x37ee6:
6e80ca76 ff75f0 push dword ptr [ebp-10h] ss:002b:006fbe38=47692fd8
0:002> p
Time Travel Position: 32B0FD:149A
eax=73430fd8 ebx=00000003 ecx=6e756701 edx=09000000 esi=6ea779e0 edi=68e10cac
eip=6e80ca79 esp=006fbe00 ebp=006fbe48 iopl=0 nv up ei ng nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000293
CoolType!CTCleanup+0x37ee9:
6e80ca79 ff7518 push dword ptr [ebp+18h] ss:002b:006fbe60=006fbe84
0:002> p
Time Travel Position: 32B0FD:149B
eax=73430fd8 ebx=00000003 ecx=6e756701 edx=09000000 esi=6ea779e0 edi=68e10cac
eip=6e80ca7c esp=006fbdfc ebp=006fbe48 iopl=0 nv up ei ng nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000293
CoolType!CTCleanup+0x37eec:
6e80ca7c ff7514 push dword ptr [ebp+14h] ss:002b:006fbe5c=006fbe90
0:002> p
Time Travel Position: 32B0FD:149C
eax=73430fd8 ebx=00000003 ecx=6e756701 edx=09000000 esi=6ea779e0 edi=68e10cac
eip=6e80ca7f esp=006fbdf8 ebp=006fbe48 iopl=0 nv up ei ng nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000293
CoolType!CTCleanup+0x37eef:
6e80ca7f ff7510 push dword ptr [ebp+10h] ss:002b:006fbe58=00000004 ; ---------------- (1)
0:002> p
Time Travel Position: 32B0FD:149D
eax=73430fd8 ebx=00000003 ecx=6e756701 edx=09000000 esi=6ea779e0 edi=68e10cac
eip=6e80ca82 esp=006fbdf4 ebp=006fbe48 iopl=0 nv up ei ng nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000293
CoolType!CTCleanup+0x37ef2:
6e80ca82 ff75d0 push dword ptr [ebp-30h] ss:002b:006fbe18=0000000c ; ---------------- (2)
0:002> p
Time Travel Position: 32B0FD:149E
eax=73430fd8 ebx=00000003 ecx=6e756701 edx=09000000 esi=6ea779e0 edi=68e10cac
eip=6e80ca85 esp=006fbdf0 ebp=006fbe48 iopl=0 nv up ei ng nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000293
CoolType!CTCleanup+0x37ef5:
6e80ca85 ff75cc push dword ptr [ebp-34h] ss:002b:006fbe14=6b9d8ff0
0:002> db 6b9d8ff0 ; ---------------- (3)
6b9d8ff0 00 58 00 3e 55 29 00 29-8e 55 29 55 d0 d0 d0 d0 .X.>U).).U)U....
6b9d9000 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
0:002> p
Time Travel Position: 32B0FD:149F
eax=73430fd8 ebx=00000003 ecx=6e756701 edx=09000000 esi=6ea779e0 edi=68e10cac
eip=6e80ca88 esp=006fbdec ebp=006fbe48 iopl=0 nv up ei ng nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000293
CoolType!CTCleanup+0x37ef8:
6e80ca88 ff75dc push dword ptr [ebp-24h] ss:002b:006fbe24=00000024 ; ---------------- (4)
0:002> p
Time Travel Position: 32B0FD:14A0
eax=73430fd8 ebx=00000003 ecx=6e756701 edx=09000000 esi=6ea779e0 edi=68e10cac
eip=6e80ca8b esp=006fbde8 ebp=006fbe48 iopl=0 nv up ei ng nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000293
CoolType!CTCleanup+0x37efb:
6e80ca8b ff75d8 push dword ptr [ebp-28h] ss:002b:006fbe20=73430fd8
0:002> db 73430fd8 L24 ; ---------------- (5)
73430fd8 00 01 00 00 03 d8 fe ef-00 00 02 58 00 1f 00 1f ...........X....
73430fe8 02 39 00 01 00 04 00 00-00 00 00 00 00 00 00 00 .9..............
73430ff8 00 00 00 09 ....
0:002> p
Time Travel Position: 32B0FD:14A1
eax=73430fd8 ebx=00000003 ecx=6e756701 edx=09000000 esi=6ea779e0 edi=68e10cac
eip=6e80ca8e esp=006fbde4 ebp=006fbe48 iopl=0 nv up ei ng nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000293
CoolType!CTCleanup+0x37efe:
6e80ca8e e861f4ffff call CoolType!CTCleanup+0x37364 (6e80bef4) ; ---------------- (6)
The method called at (6) processes the hMetric entries. The index value of these entries is pushed at (1). At (2), we can observe the size of the hmtx table. The content of the hmtx table is examined at (3). The size of the hhea table is 0x24, and the content of the hhea table can be observed at (5).
0:002> p
Time Travel Position: 32B0FD:14C9
eax=00000100 ebx=00000004 ecx=7ffffffd edx=6b9d8ff0 esi=00000009 edi=00000000
eip=6e80bf6f esp=006fbdcc ebp=006fbddc iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x373df:
6e80bf6f 98 cwde
0:002> p
Time Travel Position: 32B0FD:14CA
eax=00000100 ebx=00000004 ecx=7ffffffd edx=6b9d8ff0 esi=00000009 edi=00000000
eip=6e80bf70 esp=006fbdcc ebp=006fbddc iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x373e0:
6e80bf70 3bde cmp ebx,esi ; ---------------- (7)
0:002> p
Time Travel Position: 32B0FD:14CB
eax=00000100 ebx=00000004 ecx=7ffffffd edx=6b9d8ff0 esi=00000009 edi=00000000
eip=6e80bf72 esp=006fbdcc ebp=006fbddc iopl=0 nv up ei ng nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000293
CoolType!CTCleanup+0x373e2:
6e80bf72 7d1d jge CoolType!CTCleanup+0x37401 (6e80bf91) [br=0]
0:002> p
Time Travel Position: 32B0FD:14CC
eax=00000100 ebx=00000004 ecx=7ffffffd edx=6b9d8ff0 esi=00000009 edi=00000000
eip=6e80bf74 esp=006fbdcc ebp=006fbddc iopl=0 nv up ei ng nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000293
CoolType!CTCleanup+0x373e4:
6e80bf74 8b4d10 mov ecx,dword ptr [ebp+10h] ss:002b:006fbdec=6b9d8ff0
0:002> p
Time Travel Position: 32B0FD:14CD
eax=00000100 ebx=00000004 ecx=6b9d8ff0 edx=6b9d8ff0 esi=00000009 edi=00000000
eip=6e80bf77 esp=006fbdcc ebp=006fbddc iopl=0 nv up ei ng nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000293
CoolType!CTCleanup+0x373e7:
6e80bf77 0fb6549a01 movzx edx,byte ptr [edx+ebx*4+1] ds:002b:6b9d9001=?? ; ---------------- (8)
0:002> db ecx L20
6b9d8ff0 00 58 00 3e 55 29 00 29-8e 55 29 55 d0 d0 d0 d0 .X.>U).).U)U....
6b9d9000 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
0:002> g
(20b0.1f44): Access violation - code c0000005 (first/second chance not available)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
Time Travel Position: 32B0FE:0
eax=00000100 ebx=00000004 ecx=6b9d8ff0 edx=6b9d8ff0 esi=00000009 edi=00000000
eip=6e80bf77 esp=006fbdcc ebp=006fbddc iopl=0 nv up ei ng nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000293
CoolType!CTCleanup+0x373e7:
6e80bf77 0fb6549a01 movzx edx,byte ptr [edx+ebx*4+1] ds:002b:6b9d9001=??
0:002> u
CoolType!CTCleanup+0x373e7:
6e80bf77 0fb6549a01 movzx edx,byte ptr [edx+ebx*4+1]
6e80bf7c 0fb60c99 movzx ecx,byte ptr [ecx+ebx*4]
6e80bf80 0fbfc9 movsx ecx,cx
6e80bf83 0fafc8 imul ecx,eax
6e80bf86 6603d1 add dx,cx
6e80bf89 0fb7c2 movzx eax,dx
6e80bf8c 8b5510 mov edx,dword ptr [ebp+10h]
6e80bf8f eb16 jmp CoolType!CTCleanup+0x37417 (6e80bfa7)
0:002> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 006fbddc 6e80ca93 73430fd8 00000024 6b9d8ff0 CoolType!CTCleanup+0x373e7
01 006fbe48 6e7842d4 68e10cac 00000001 00000004 CoolType!CTCleanup+0x37f03
02 006fbe94 6e783ee5 006fbf70 006fc148 00000000 CoolType!CTInit+0x40c54
03 006fc0bc 6e77d684 006fcb7c 006fc148 f2ef93bc CoolType!CTInit+0x40865
04 006fcbc8 6e77b697 00000004 00000000 00000000 CoolType!CTInit+0x3a004
05 006fcca0 6e77a17d f2f04010 00000032 006fcd74 CoolType!CTInit+0x38017
06 006fd600 6e779818 f2b4a4ec 006fd634 9b155f09 CoolType!CTInit+0x36afd
07 006fd95c 6e77972c f2b4a4ec f2b4a4d4 9b155fcd CoolType!CTInit+0x36198
08 006fd998 6eb0a971 5a4ccfcc f2b4a4ec f2b4a4d4 CoolType!CTInit+0x360ac
09 006fd9ac 6eaceb2e f2b4a4d4 6eace970 535eac10 AGM!AGMInitialize+0x50511
0a 006fd9c0 6eace3c7 535eac1c 6ef60a50 00000001 AGM!AGMInitialize+0x146ce
0b 006fd9e4 6eb0a068 006fda10 006fda2c 006fda4c AGM!AGMInitialize+0x13f67
0c 006fd9f8 6eb0a094 00000001 3e4330d7 00000000 AGM!AGMInitialize+0x4fc08
0d 006fdaac 72ca7c55 007010bc 00000000 006fdad4 AGM!AGMInitialize+0x4fc34
0e 006fdb0c 6eb098d9 f2b4a410 006fdbd4 35a10980 verifier!AVrfpDphExitHeapPath+0x15
0f 006fdb78 6eb08a27 006fdc84 f2b4a410 006fdbd4 AGM!AGMInitialize+0x4f479
10 006fdc9c 6f5baf39 006fdd0c 5d25ffcc 7333efe0 AGM!AGMInitialize+0x4e5c7
11 006fdd10 6f5badf8 006fdeb8 7333efe0 006fdf4c AcroRd32!DllCanUnloadNow+0x1d2a99
12 006fdd88 6f5f3dc4 006fdeb8 7333efe0 006fdf4c AcroRd32!DllCanUnloadNow+0x1d2958
13 006fe0c8 6f5eda02 f3208130 006fe2c8 6f5eda02 AcroRd32!DllCanUnloadNow+0x20b924
14 006fe2c0 6f5ed41d 73538a60 6f5ed41d 006fe2dc AcroRd32!DllCanUnloadNow+0x205562
15 006fe31c 6f5ea62d 006fe3c4 f31d0840 00000000 AcroRd32!DllCanUnloadNow+0x204f7d
16 006fe3ec 6f5b4968 873be5ec 73538a60 00000003 AcroRd32!DllCanUnloadNow+0x20218d
17 006fe4a8 6f63a22d 00000001 00000000 00000000 AcroRd32!DllCanUnloadNow+0x1cc4c8
18 006fe508 6f64b1ff 00000001 00000000 00000000 AcroRd32!DllCanUnloadNow+0x251d8d
19 006fe58c 6f6bc90e 73522f78 6f64bf10 006fe65c AcroRd32!DllCanUnloadNow+0x262d5f
1a 006fe70c 6f6bc656 f321f130 62bc2dc0 00000000 AcroRd32!DllCanUnloadNow+0x2d446e
1b 006fe724 6f648958 f321f130 6f6becc0 62bc2dc0 AcroRd32!DllCanUnloadNow+0x2d41b6
1c 006fe8f0 6fb93502 62bc2dc0 00000000 006fe938 AcroRd32!DllCanUnloadNow+0x2604b8
1d 006fe960 6fb94816 62bc2dc0 00000000 00000000 AcroRd32!ixVectorNextHit+0x25ad72
1e 006fe97c 700f05b8 62bc2dc0 00000000 700f0210 AcroRd32!ixVectorNextHit+0x25c086
1f 006febe0 6fe001e6 006fec5c 62980fe8 00000001 AcroRd32!AIDE::PixelPartInfo::operator=+0x320758
20 006fecec 6fe50a90 a3552b58 00000000 006fed14 AcroRd32!AIDE::PixelPartInfo::operator=+0x30386
21 006fecfc 6f565909 8affcca0 6f5658c0 4d932ff0 AcroRd32!AIDE::PixelPartInfo::operator=+0x80c30
22 006fed14 6f56555f 92d90fc8 006fed44 873bec1c AcroRd32!DllCanUnloadNow+0x17d469
23 006fed58 6f565462 92d90fc8 00000000 92d90fc8 AcroRd32!DllCanUnloadNow+0x17d0bf
24 006fed70 6f5653ac 92d90fc8 00000000 006fed9c AcroRd32!DllCanUnloadNow+0x17cfc2
25 006fed80 6fe6b569 00000000 8a748c10 6fe6b520 AcroRd32!DllCanUnloadNow+0x17cf0c
26 006fed9c 6f443e01 00000000 88dc4ff4 81c78cd0 AcroRd32!AIDE::PixelPartInfo::operator=+0x9b709
27 006ff01c 6f4464ae 873bf100 2f7e8d90 2f7e8d90 AcroRd32!DllCanUnloadNow+0x5b961
28 006ff044 6f4460f4 00000000 873bf130 2f7e8d90 AcroRd32!DllCanUnloadNow+0x5e00e
29 006ff074 6f430fd3 00000000 873bf1ac 2f7e8d90 AcroRd32!DllCanUnloadNow+0x5dc54
2a 006ff0e8 6f430e34 873bf064 2f7e8d90 00000000 AcroRd32!DllCanUnloadNow+0x48b33
2b 006ff120 6f3aa81f 873bf0d0 1c676ff8 00000000 AcroRd32!DllCanUnloadNow+0x48994
2c 006ff194 6f3aa25c 6f0d0000 00eb0000 1c676ff8 AcroRd32!AcroWinMainSandbox+0x74f
2d 006ff5b8 01088bb5 6f0d0000 00eb0000 1c676ff8 AcroRd32!AcroWinMainSandbox+0x18c
2e 006ffa08 01101f8a 00eb0000 00000000 00720018 AcroRd32_exe!CreateCoreWebview2EnvironmentSandbox+0x112b05
Unable to load image C:\Windows\System32\KERNEL32.DLL, Win32 error 0n2
2f 006ffa54 7673fcc9 00583000 7673fcb0 006ffac0 AcroRd32_exe!AcroRd32IsBrokerProcess+0x1bc6a
30 006ffa64 7797809e 00583000 5eeccdfb 00000000 KERNEL32!BaseThreadInitThunk+0x19
31 006ffac0 7797806e ffffffff 77999124 00000000 ntdll!__RtlUserThreadStart+0x2f
32 006ffad0 00000000 01084b20 00583000 00000000 ntdll!_RtlUserThreadStart+0x1b
In the hMetrics processing method, at (7), the index value is checked to see if it is less than numberOfHMetrics before reading hMetrics entries. However, this check is insufficient. If we continue reading, a crash occurs at (8) due to an out-of-bounds read.
Using this vulnerability, it is possible to read arbitrary memory of the process. Because of complex interactions between PDF reader and font subcomponents, especially in the presence of a JavaScript engine, it is possible that sensitive contents of arbitrary memory could be disclosed, which could aid in further exploitation and exploit mitigation bypass.
2025-01-13 - Vendor Disclosure
2025-03-11 - Vendor Patch Release
2025-03-12 - Public Release
Discovered by KPC of Cisco Talos.