Adobe fixed multiple critical flaws in Acrobat and Reader

Adobe addressed multiple code execution vulnerabilities in several products, including Adobe Acrobat and Reader.

Adobe addressed multiple code execution vulnerabilities in its products, including Adobe Acrobat and Reader software

The software giant released its Patch Tuesday updates to fix 35 security vulnerabilities 12 of these issues impact Adobe Acrobat and Reader software.

The arbitrary code execution issues fixed by the company includes Use After Free, Improper Input Validation, and Improper Access Control.

Vulnerability Category Vulnerability Impact Severity CVSS base score CVSS vector CVE Number
Use After Free (CWE-416) Arbitrary code execution Critical 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2024-30284
Out-of-bounds Write (CWE-787) Arbitrary code execution Critical 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2024-30310
Use After Free (CWE-416) Arbitrary code execution Critical 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2024-34094
Use After Free (CWE-416) Arbitrary code execution Critical 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2024-34095
Use After Free (CWE-416) Arbitrary code execution Critical 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2024-34096
Use After Free (CWE-416) Arbitrary code execution Critical 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2024-34097
Improper Input Validation (CWE-20) Arbitrary code execution Critical 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2024-34098
Improper Access Control (CWE-284) Arbitrary code execution Critical 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2024-34099
Use After Free (CWE-416) Arbitrary code execution Critical 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2024-34100
Out-of-bounds Read (CWE-125) Memory leak Important 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVE-2024-30311
Out-of-bounds Read (CWE-125) Memory leak Important 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVE-2024-30312
Out-of-bounds Read (CWE-125) Memory leak Moderate 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2024-34101

The vulnerabilities were reported by the following experts and research team:

  • Mark Vincent Yason (markyason.github.io) working with Trend Micro Zero Day Initiative – CVE-2024-30284, CVE-2024-34094, CVE-2024-34095, CVE-2024-34096, CVE-2024-34097
  • Cisco Talos (ciscotalos)  – CVE-2024-30311, CVE-2024-30312
  • Bobby Gould of Trend Micro Zero Day Initiative – CVE-2024-30310, CVE-2024-34101
  • AbdulAziz Hariri (@abdhariri) of Haboob SA (@HaboobSa) – CVE-2024-34098, CVE-2024-34099
  • Suyue Guo and Wei You from Renmin University of China (ruc_se_sec) – CVE-2024-34100

Adobe PSIRT is not aware of attacks in the wild exploiting the above vulnerabilities.

The vulnerabilities impact versions: 24.002.20736 and earlier, and 20.005.30574 and earlier for Windows and macOS operating systems.

Adobe also fixed issues in Adobe Illustrator (APSB24-30), Adobe Aero (APSB24-33), Adobe Dreamweaver (APSB24-39), Adobe Substance 3D Painter (APSB24-31), Adobe Substance 3D Designer (APSB24-35), Adobe Animate (APSB24-36), Adobe FrameMaker (APSB24-37).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Acrobat)

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to our Newsletter