CVE-2025-43578
An out-of-bounds read vulnerability exists in the Font functionality of Adobe Acrobat Reader 2025.001.20435. A specially crafted font file embedded into a PDF can trigger this vulnerability which can lead to disclosure of sensitive information. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Adobe Acrobat Reader 2025.001.20435
Acrobat Reader - https://acrobat.adobe.com/us/en/acrobat/pdf-reader.html
6.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CWE-839 - Numeric Range Comparison Without Minimum Check
Adobe Acrobat Reader is one of the most popular and feature-rich PDF readers on the market. It has a large user base and is usually a default PDF reader on systems. It also integrates into web browsers as a plugin for rendering PDFs.
Adobe Acrobat supports parsing of embedded font files in the PDF. This vulnerability is related to OpenType font format. An OpenType font file starts with a table directory (TableDirectory ) followed by one or more table record (TableRecord) entries. The structure of TableDirectory is as follows:
Offset Size Name
------ ----- --------------------------------------
0x00 0x04 sfntVersion (0x00010000 or 0x4F54544F )
0x04 0x02 numTables
0x06 0x02 searchRange
0x08 0x02 entrySelector
0x0c 0x02 rangeShift
If the value of the sfntVersion field is 0x00010000 or 0x74727565 , the font contains TrueType data. The CFF data will be present if the value of sfntVersion is 0x4F54544F (‘OTTO). The numTables field specifies the number of TableRecord entries present in the font file. The structure of a TableRecord entry is as follows:
Offset Size Name
------ ----- ----------------------------------
0x00 0x04 tableTag
0x04 0x04 tableChecksum
0x08 0x04 tableOffset
0x0C 0x04 tablelength
tableTag is the name of TableRecord. The tableOffset field specifies the offset of the table from the beginning of the file. The tablelength indicates the length of the table. The structure of each TableRecord depends on the type table, which is defined by the tableTag.
This vulnerability is related to the CFF2 table. For the CFF2 table, the value of the tableTag field is the string CFF2.
CFF2 stands for Compact Font Format version 2 table. It is used to store and represent glyph outlines and other related data for OpenType fonts. A CFF2 table starts with a table header, followed by Top DICT, Global Subr INDEX, VariationStore and so on. The structure of the CFF2 table header is as follows:
Offset Size Name
------ ----- --------------------------------------
0x00 0x01 cff2MajorVersion
0x01 0x01 cfff2MinorVersion
0x02 0x01 cff2HeaderSize
0x03 0x02 topDictLength
Here, the topDictLength field indicates the length of the Top DICT data in bytes. The Top DICT data is a dictionary data comprising key-value pairs, where the key is a 1- or 2-byte operator and the dictionary value is encoded as a variable-size numeric operand. The important thing to note here is that in Top DICT data, an operator is preceded by the operand(s) that specify its value. The following table indicates various types of operators Top DICT data may contain:
Operator Name Operator Value Operand type and meaning
----------------------------------------------------------------------------------------------------------
CharStrings 0x11 number and it gives CharStrings INDEX offset, from start of the CFF2 table.
vstore 0x18 number and it specifies VariationStore structure offset, from start of the CFF2 table.
FontDICTINDEXOffset 0x0C 0x24 number and it gives FontDICT (FD) INDEX offset, from start of the CFF2 table.
FontDICTSelectOffset 0x0C 0x25 number and it specifies offset to the FontDICTSelect subtable, from start of the CFF2 table.
FontMatrix 0x0c 0x07 array and default value is (0.001 0 0 0.001 0 0)
For this vulnerability, the vstore and FontDICTINDEXOffset operators play crucial roles. The byte value of the vstore operator is 0x18. Its operand specifies the offset to the VariationStore structure from the start of the CFF2 table. Similarly, the byte value of the FontDICTINDEXOffset operator is 0x0C24. The operand for this operator provides the offset to the FontDICTINDEX structure from the beginning of the CFF2 table. The operand value is encoded and can be decoded using the following pseudo Python code:
# usage: decode_integer(b"\x1d\x00\x00\x00\x8a")
def decode_integer(data):
first_byte = data[0]
if 32 <= first_byte <= 246:
return first_byte - 139
elif 247 <= first_byte <= 250:
return (first_byte - 247) * 256 + data[1] + 108
elif 251 <= first_byte <= 254:
return -(first_byte - 251) * 256 - data[1] - 108
elif first_byte == 28:
return data[1] * 256 + data[2]
elif first_byte == 29:
return (data[1] << 24) + (data[2] << 16) + (data[3] << 8) + data[4]
In our case, the Top DICT data contains four operators, and the content of the Top DICT data is as follows:
F7 35 0C 25 => (operator: FontDICTSelectOffset, operand after encoding: 0xA1)
1D 00 00 17 BC 0C 24 => (operator: FontDICTINDEXOffset, operand after encoding: 0x17BC)
F7 40 11 => (operator: CharStrings, operand after encoding: 0xac)
A4 18 => (operator: vstore, operand after encoding: 0x19)
The fourth entry of the Top DICT data signifies that it contains the VariationStore, which begins at an offset of 0x19 from the start of the CFF2 table. The structure of the VariationStore is as follows:
Offset Size Name
--------------------------------------------------------------
0x00 0x02 Length
0x02 0x02 Format
0x04 0x04 variationRegionListOffset
0x06 0x02 itemVariationDataCount (N)
0x08 0x04 * N itemVariationDataOffsets[N]
Length indicates the total size in bytes of the Item Variation Store. The Item Variation Store structure begins with the Format field. The itemVariationDataCount is crucial, as it specifies the number of item variation data subtables.
The second entry of the Top DICT data indicates that it contains the FontDICTINDEX, which starts at an offset of 0x17BC from the beginning of the CFF2 table.
The FontDICTINDEX consists of a header followed by an array of FontDICT tables. The structure of the FontDICTINDEX header is as follows:
Offset Size Name
--------------------------------------------------------------
0x00 0x04 FontDICTCount (M)
0x04 0x01 FontDICTOffsetSize (L)
0x04 (N+1)*M FontDICTOffsets
FontDICTCount specifies the number of FontDICT entries stored in the FontDICTINDEX. FontDICTOffsets is an offset array, with the total size of the array being (FontDICTCount + 1) * FontDICTOffsetSize bytes. The size of each element in the offset array is determined by FontDICTOffsetSize. Offsets within the array are relative to the byte preceding the FontDICT.
In our case, FontDICTCount is 0x02, indicating that two FontDICT entries are present. Their values are:
FontDict-1 => F7 24 1D 00 00 17 D4 12 (PrivateDICTSize=0x90, PrivateDICTOffset=0x17d4)
FontDict-2 => F7 08 1D 00 00 18 44 12 (PrivateDICTSize=0x74, PrivateDICTOffset=0x1844)
The operand of a Font Dict contains the size (PrivateDICTSize) and offset (PrivateDICTOffset). These values can be calculated using the decode_integer function mentioned earlier. Here, PrivateDICTOffset indicates the offset of the PrivateDICT from the start of the CFF2 table. The operator value for FontDict must be 0x12.
The structure of PrivateDICT is same as Top DICT. Note that the operands type is defined by the corresponding operator value. The following table indicates various types of operators PrivateDICT data may contain:
Operator Value Operator Name Operator Purpose
------------------------------------------------------------
0x13 LocalSubrINDEXOffset subroutines
0x16 vsindex variation
0x17 blend variation
0x06 BlueValues hinting
0x07 OtherBlues hinting
0x08 FamilyBlues hinting
0x09 FamilyOtherBlues hinting
0x0c09 BlueScale hinting
0x0c0a BlueShift hinting
0x0c0b BlueFuzz hinting
0x0a StdHW hinting
0x0b StdVW hinting
0x0c0c StemSnapH hinting
0x0c0d StemSnapV hinting
0x0c11 LanguageGroup hinting
0x0c12 ExpansionFactor hinting
Here, the vsindex PrivateDICT operator is important. It contains only a single operand, ivd, which specifies the index for the ItemVariationData structure to be used. This vulnerability occurs when the value of ivd is greater than or equal to itemVariationDataCount.
The following code is related to the processing of vstore as observed in the debugger (with PageHeap enabled):
:000> p
Time Travel Position: 3D82BE:1CE2
eax=0000000c ebx=9e104570 ecx=00000004 edx=00005510 esi=000031f0 edi=9e104570
eip=6d725517 esp=00afc114 ebp=00afc134 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216
CoolType!CTGetVersion+0xcaa97:
6d725517 57 push edi
0:000> p
Time Travel Position: 3D82BE:1CE3
eax=0000000c ebx=9e104570 ecx=00000004 edx=00005510 esi=000031f0 edi=9e104570
eip=6d725518 esp=00afc110 ebp=00afc134 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216
CoolType!CTGetVersion+0xcaa98:
6d725518 e8e5d6ffff call CoolType!CTGetVersion+0xc8182 (6d722c02) ;<--------------------- (1)
0:000> p
Time Travel Position: 3D82BE:1CFD
eax=00000001 ebx=9e104570 ecx=00000001 edx=00005510 esi=000031f0 edi=9e104570
eip=6d72551d esp=00afc110 ebp=00afc134 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTGetVersion+0xcaa9d:
6d72551d 66898738020000 mov word ptr [edi+238h],ax ds:002b:9e1047a8=ffff ;<--------------------- (2)
0:000> p
Time Travel Position: 3D82BE:1CFE
eax=00000001 ebx=9e104570 ecx=00000001 edx=00005510 esi=000031f0 edi=9e104570
eip=6d725524 esp=00afc110 ebp=00afc134 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTGetVersion+0xcaaa4:
6d725524 0fb7c0 movzx eax,ax
0:000> p
Time Travel Position: 3D82BE:1CFF
eax=00000001 ebx=9e104570 ecx=00000001 edx=00005510 esi=000031f0 edi=9e104570
eip=6d725527 esp=00afc110 ebp=00afc134 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTGetVersion+0xcaaa7:
6d725527 c1e004 shl eax,4 ;<----------------------- (3)
0:000> p
Time Travel Position: 3D82BE:1D00
eax=00000010 ebx=9e104570 ecx=00000001 edx=00005510 esi=000031f0 edi=9e104570
eip=6d72552a esp=00afc110 ebp=00afc134 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTGetVersion+0xcaaaa:
6d72552a 50 push eax
0:000> p
Time Travel Position: 3D82BE:1D01
eax=00000010 ebx=9e104570 ecx=00000001 edx=00005510 esi=000031f0 edi=9e104570
eip=6d72552b esp=00afc10c ebp=00afc134 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTGetVersion+0xcaaab:
6d72552b e8a606e5ff call CoolType!CTInit+0x2556 (6d575bd6) ;<----------------------- (4)
:000> p
Time Travel Position: 3D82C2:115B
eax=af9f2ff0 ebx=9e104570 ecx=6d575bfe edx=00000000 esi=000031f0 edi=9e104570
eip=6d725530 esp=00afc10c ebp=00afc134 iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000286
CoolType!CTGetVersion+0xcaab0:
6d725530 89873c020000 mov dword ptr [edi+23Ch],eax ds:002b:9e1047ac=00000000
0:000> dd eax ;<----------------------- (5)
af9f2ff0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
af9f3000 ???????? ???????? ???????? ????????
[...]
0:000> p
Time Travel Position: 3D82CD:1C3C
eax=00000008 ebx=00000000 ecx=00008000 edx=00afbfdc esi=af9f2ff0 edi=9e104570
eip=6d72562a esp=00afc114 ebp=00afc134 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216
CoolType!CTGetVersion+0xcabaa:
6d72562a 663bc1 cmp ax,cx
0:000> p
Time Travel Position: 3D82CD:1C3D
eax=00000008 ebx=00000000 ecx=00008000 edx=00afbfdc esi=af9f2ff0 edi=9e104570
eip=6d72562d esp=00afc114 ebp=00afc134 iopl=0 ov up ei ng nz na po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000a83
CoolType!CTGetVersion+0xcabad:
6d72562d 0f87e3000000 ja CoolType!CTGetVersion+0xcac96 (6d725716) [br=0]
0:000> db af9f2ff0 ;<----------------------- (6)
af9f2ff0 00 00 00 00 08 00 c0 c0-00 00 00 00 c0 c0 c0 c0 ................
af9f3000 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
At (1), a method is called to read the itemVariationDataCount field of the VariationStore structure. The value of itemVariationDataCount is 0x01, which can be observed at (2). A buffer size is calculated using itemVariationDataCount at (3). At (4), a method calls malloc to allocate the vulnerable buffer. The value of the vulnerable buffer is examined at (5). The buffer is used to store the item variation data subtable, and its value can be observed at (6) after initialization.
After processing vstore, the application eventually processes the second PrivateDICT, which contains the malformed vsindex operator.
0:000> g
eax=00000000 ebx=ba1bd3ec ecx=00000000 edx=b02cefc8 esi=9e104570 edi=b6e177e4
eip=6d7231ba esp=00afb828 ebp=00afb83c iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
CoolType!CTGetVersion+0xc873a:
6d7231ba 8b8e44230000 mov ecx,dword ptr [esi+2344h] ds:002b:9e1068b4=b7558e00
0:000> p
Time Travel Position: 3D8519:1C40
eax=00000000 ebx=ba1bd3ec ecx=b7558e00 edx=b02cefc8 esi=9e104570 edi=b6e177e4
eip=6d7231c0 esp=00afb828 ebp=00afb83c iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
CoolType!CTGetVersion+0xc8740:
6d7231c0 8bc1 mov eax,ecx
0:000> db ecx ;<----------------------- (7)
b7558e00 fc 39 9a 1d 00 00 05 d6-9a 88 a3 7d 8d 8e 81 76 .9.........}...v
b7558e10 82 8b 8b 8b 8b 8b 8b 8b-8b 69 94 93 75 8e 9d a6 .........i..u...
b7558e20 99 8b 8b 8b 8b 8b 8b 8b-8b 8f 17 16 07 1e a0 37 ...............7
b7558e30 5f 8b ab 1e a0 09 37 5f-8b 8b 8b 8b 8b 8c 17 0c _.....7_........
b7558e40 09 8b 0c 0b b9 74 9c 9d-75 88 9c 8a 7a 8c 17 0a .....t..u...z...
b7558e50 e0 52 f4 96 79 84 99 8e-7f 8c 17 0b b9 46 b3 8c .R..y........F..
b7558e60 63 96 a7 79 7f 0c 0c e0-fb 22 f7 36 2d 6e 96 a0 c..y.....".6-n..
b7558e70 80 7c 0c 0d 00 01 00 00-00 0a 00 30 00 3e 00 04 .|.........0.>..
[...]
0:000> p
Time Travel Position: 3D8519:1C60
eax=b7558e01 ebx=00000000 ecx=00000001 edx=b02ceffc esi=9e104570 edi=000000fc
eip=6d724562 esp=00afb828 ebp=00afb83c iopl=0 nv up ei ng nz na po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000283
CoolType!CTGetVersion+0xc9ae2:
6d724562 8a10 mov dl,byte ptr [eax] ds:002b:b7558e01=39
0:000> p
Time Travel Position: 3D8519:1C61
eax=b7558e01 ebx=00000000 ecx=00000001 edx=b02cef39 esi=9e104570 edi=000000fc
eip=6d724564 esp=00afb828 ebp=00afb83c iopl=0 nv up ei ng nz na po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000283
CoolType!CTGetVersion+0xc9ae4:
6d724564 40 inc eax
0:000> p
Time Travel Position: 3D8519:1C62
eax=b7558e02 ebx=00000000 ecx=00000001 edx=b02cef39 esi=9e104570 edi=000000fc
eip=6d724565 esp=00afb828 ebp=00afb83c iopl=0 nv up ei ng nz na po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000283
CoolType!CTGetVersion+0xc9ae5:
6d724565 898644230000 mov dword ptr [esi+2344h],eax ds:002b:9e1068b4=b7558e01
0:000> p
Time Travel Position: 3D8519:1C63
eax=b7558e02 ebx=00000000 ecx=00000001 edx=b02cef39 esi=9e104570 edi=000000fc
eip=6d72456b esp=00afb828 ebp=00afb83c iopl=0 nv up ei ng nz na po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000283
CoolType!CTGetVersion+0xc9aeb:
6d72456b c1e708 shl edi,8
0:000> p
Time Travel Position: 3D8519:1C64
eax=b7558e02 ebx=00000000 ecx=00000001 edx=b02cef39 esi=9e104570 edi=0000fc00
eip=6d72456e esp=00afb828 ebp=00afb83c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTGetVersion+0xc9aee:
6d72456e b994fa0000 mov ecx,0FA94h
0:000> p
Time Travel Position: 3D8519:1C65
eax=b7558e02 ebx=00000000 ecx=0000fa94 edx=b02cef39 esi=9e104570 edi=0000fc00
eip=6d724573 esp=00afb828 ebp=00afb83c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTGetVersion+0xc9af3:
6d724573 2bcf sub ecx,edi
0:000> p
Time Travel Position: 3D8519:1C66
eax=b7558e02 ebx=00000000 ecx=fffffe94 edx=b02cef39 esi=9e104570 edi=0000fc00
eip=6d724575 esp=00afb828 ebp=00afb83c iopl=0 nv up ei ng nz na po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000283
CoolType!CTGetVersion+0xc9af5:
6d724575 0fb6c2 movzx eax,dl
0:000> p
Time Travel Position: 3D8519:1C67
eax=00000039 ebx=00000000 ecx=fffffe94 edx=b02cef39 esi=9e104570 edi=0000fc00
eip=6d724578 esp=00afb828 ebp=00afb83c iopl=0 nv up ei ng nz na po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000283
CoolType!CTGetVersion+0xc9af8:
6d724578 2bc8 sub ecx,eax
0:000> p
Time Travel Position: 3D8519:1C68
eax=00000039 ebx=00000000 ecx=fffffe5b edx=b02cef39 esi=9e104570 edi=0000fc00
eip=6d72457a esp=00afb828 ebp=00afb83c iopl=0 nv up ei ng nz ac po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000292
CoolType!CTGetVersion+0xc9afa:
6d72457a 898cde8c020000 mov dword ptr [esi+ebx*8+28Ch],ecx ds:002b:9e1047fc=fffffe5b ;<----------------------- (8)
Evaluate expression: -421 = fffffe5b
[...]
0:000> g-
compare to switch
Time Travel Position: 3D851D:DD8
eax=000000f7 ebx=ba1bd3ec ecx=b7558e2b edx=b6e17716 esi=9e104570 edi=00000016
eip=6d723207 esp=00afb828 ebp=00afb83c iopl=0 nv up ei ng nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000293
CoolType!CTGetVersion+0xc8787:
6d723207 83ff1f cmp edi,1Fh ;<----------------------- (9)
0:000> p
Time Travel Position: 3D851D:DD9
eax=000000f7 ebx=ba1bd3ec ecx=b7558e2b edx=b6e17716 esi=9e104570 edi=00000016
eip=6d72320a esp=00afb828 ebp=00afb83c iopl=0 nv up ei ng nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000293
CoolType!CTGetVersion+0xc878a:
6d72320a 0f87a5130000 ja CoolType!CTGetVersion+0xc9b35 (6d7245b5) [br=0]
0:000> p
Time Travel Position: 3D851D:DDA
eax=000000f7 ebx=ba1bd3ec ecx=b7558e2b edx=b6e17716 esi=9e104570 edi=00000016
eip=6d723210 esp=00afb828 ebp=00afb83c iopl=0 nv up ei ng nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000293
CoolType!CTGetVersion+0xc8790:
6d723210 ff24bd5346726d jmp dword ptr CoolType!CTGetVersion+0xc9bd3 (6d724653)[edi*4] ds:002b:6d7246ab=6d724147
0:000> p
Time Travel Position: 3D851D:DDB
eax=000000f7 ebx=ba1bd3ec ecx=b7558e2b edx=b6e17716 esi=9e104570 edi=00000016
eip=6d724147 esp=00afb828 ebp=00afb83c iopl=0 nv up ei ng nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000293
CoolType!CTGetVersion+0xc96c7:
6d724147 807e5c02 cmp byte ptr [esi+5Ch],2 ds:002b:9e1045cc=02
0:000> p
Time Travel Position: 3D851D:DDC
eax=000000f7 ebx=ba1bd3ec ecx=b7558e2b edx=b6e17716 esi=9e104570 edi=00000016
eip=6d72414b esp=00afb828 ebp=00afb83c iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
CoolType!CTGetVersion+0xc96cb:
6d72414b 0f853f040000 jne CoolType!CTGetVersion+0xc9b10 (6d724590) [br=0]
0:000> p
Time Travel Position: 3D851D:DDD
eax=000000f7 ebx=ba1bd3ec ecx=b7558e2b edx=b6e17716 esi=9e104570 edi=00000016
eip=6d724151 esp=00afb828 ebp=00afb83c iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
CoolType!CTGetVersion+0xc96d1:
6d724151 8b45fc mov eax,dword ptr [ebp-4] ss:002b:00afb838=ba1bd3c4
0:000> p
Time Travel Position: 3D851D:DDE
eax=ba1bd3c4 ebx=ba1bd3ec ecx=b7558e2b edx=b6e17716 esi=9e104570 edi=00000016
eip=6d724154 esp=00afb828 ebp=00afb83c iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
CoolType!CTGetVersion+0xc96d4:
6d724154 8b8028920000 mov eax,dword ptr [eax+9228h] ds:002b:ba1c65ec=af8e0fe8
0:000> p
Time Travel Position: 3D851D:DDF
eax=af8e0fe8 ebx=ba1bd3ec ecx=b7558e2b edx=b6e17716 esi=9e104570 edi=00000016
eip=6d72415a esp=00afb828 ebp=00afb83c iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
CoolType!CTGetVersion+0xc96da:
6d72415a 85c0 test eax,eax
0:000> p
Time Travel Position: 3D851D:DE0
eax=af8e0fe8 ebx=ba1bd3ec ecx=b7558e2b edx=b6e17716 esi=9e104570 edi=00000016
eip=6d72415c esp=00afb828 ebp=00afb83c iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000286
CoolType!CTGetVersion+0xc96dc:
6d72415c 740d je CoolType!CTGetVersion+0xc96eb (6d72416b) [br=0]
0:000> p
Time Travel Position: 3D851D:DE1
eax=af8e0fe8 ebx=ba1bd3ec ecx=b7558e2b edx=b6e17716 esi=9e104570 edi=00000016
eip=6d72415e esp=00afb828 ebp=00afb83c iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000286
CoolType!CTGetVersion+0xc96de:
6d72415e 33c9 xor ecx,ecx
0:000> p
Time Travel Position: 3D851D:DE2
eax=af8e0fe8 ebx=ba1bd3ec ecx=00000000 edx=b6e17716 esi=9e104570 edi=00000016
eip=6d724160 esp=00afb828 ebp=00afb83c iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
CoolType!CTGetVersion+0xc96e0:
6d724160 41 inc ecx
0:000> p
Time Travel Position: 3D851D:DE3
eax=af8e0fe8 ebx=ba1bd3ec ecx=00000001 edx=b6e17716 esi=9e104570 edi=00000016
eip=6d724161 esp=00afb828 ebp=00afb83c iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTGetVersion+0xc96e1:
6d724161 66394802 cmp word ptr [eax+2],cx ds:002b:af8e0fea=0000
0:000> p
Time Travel Position: 3D851D:DE4
eax=af8e0fe8 ebx=ba1bd3ec ecx=00000001 edx=b6e17716 esi=9e104570 edi=00000016
eip=6d724165 esp=00afb828 ebp=00afb83c iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000297
CoolType!CTGetVersion+0xc96e5:
6d724165 0f8425040000 je CoolType!CTGetVersion+0xc9b10 (6d724590) [br=0]
[...]
0:000> p
Time Travel Position: 3D851D:DE8
eax=00000001 ebx=ba1bd3ec ecx=00000001 edx=b6e17716 esi=9e104570 edi=00000016
eip=6d724174 esp=00afb828 ebp=00afb83c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTGetVersion+0xc96f4:
6d724174 7d16 jge CoolType!CTGetVersion+0xc970c (6d72418c) [br=1]
0:000> p
Time Travel Position: 3D851D:DE9
eax=00000001 ebx=ba1bd3ec ecx=00000001 edx=b6e17716 esi=9e104570 edi=00000016
eip=6d72418c esp=00afb828 ebp=00afb83c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTGetVersion+0xc970c:
6d72418c 83be8802000000 cmp dword ptr [esi+288h],0 ds:002b:9e1047f8=00000001
0:000> p
Time Travel Position: 3D851D:DEA
eax=00000001 ebx=ba1bd3ec ecx=00000001 edx=b6e17716 esi=9e104570 edi=00000016
eip=6d724193 esp=00afb828 ebp=00afb83c iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTGetVersion+0xc9713:
6d724193 7408 je CoolType!CTGetVersion+0xc971d (6d72419d) [br=0]
0:000> p
Time Travel Position: 3D851D:DEB
eax=00000001 ebx=ba1bd3ec ecx=00000001 edx=b6e17716 esi=9e104570 edi=00000016
eip=6d724195 esp=00afb828 ebp=00afb83c iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTGetVersion+0xc9715:
6d724195 8b868c020000 mov eax,dword ptr [esi+28Ch] ds:002b:9e1047fc=fffffe5b ;<----------------------- (10)
0:000> t
Time Travel Position: 3D851D:DEC
eax=fffffe5b ebx=ba1bd3ec ecx=00000001 edx=b6e17716 esi=9e104570 edi=00000016
eip=6d72419b esp=00afb828 ebp=00afb83c iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTGetVersion+0xc971b:
6d72419b eb08 jmp CoolType!CTGetVersion+0xc9725 (6d7241a5)
0:000> t
Time Travel Position: 3D851D:DED
eax=fffffe5b ebx=ba1bd3ec ecx=00000001 edx=b6e17716 esi=9e104570 edi=00000016
eip=6d7241a5 esp=00afb828 ebp=00afb83c iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTGetVersion+0xc9725:
6d7241a5 50 push eax
0:000> t
Time Travel Position: 3D851D:DEE
eax=fffffe5b ebx=ba1bd3ec ecx=00000001 edx=b6e17716 esi=9e104570 edi=00000016
eip=6d7241a6 esp=00afb824 ebp=00afb83c iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTGetVersion+0xc9726:
6d7241a6 56 push esi
0:000> t
Time Travel Position: 3D851D:DEF
eax=fffffe5b ebx=ba1bd3ec ecx=00000001 edx=b6e17716 esi=9e104570 edi=00000016
eip=6d7241a7 esp=00afb820 ebp=00afb83c iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTGetVersion+0xc9727:
6d7241a7 89835c010000 mov dword ptr [ebx+15Ch],eax ds:002b:ba1bd548=00000000;<----------------------- (11)
0:000> t
Time Travel Position: 3D851D:DF0
eax=fffffe5b ebx=ba1bd3ec ecx=00000001 edx=b6e17716 esi=9e104570 edi=00000016
eip=6d7241ad esp=00afb820 ebp=00afb83c iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTGetVersion+0xc972d:
6d7241ad e8e0210000 call CoolType!CTGetVersion+0xcb912 (6d726392)
[...]
:0:000> p
Time Travel Position: 3D851D:1E0E
eax=00000001 ebx=ba1bd3c4 ecx=fffffe5b edx=b02cefc8 esi=9e104570 edi=9e104570
eip=6d71ffab esp=00afb7f4 ebp=00afb81c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTGetVersion+0xc552b:
6d71ffab 8bb384010000 mov esi,dword ptr [ebx+184h] ds:002b:ba1bd548=fffffe5b ;<----------------------- (12)
0:000> p
Breakpoint 0 hit
Time Travel Position: 3D851D:1E0F
eax=00000001 ebx=ba1bd3c4 ecx=fffffe5b edx=b02cefc8 esi=fffffe5b edi=9e104570
eip=6d71ffb1 esp=00afb7f4 ebp=00afb81c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTGetVersion+0xc5531:
6d71ffb1 3bf0 cmp esi,eax ;<----------------------- (13)
0:000> p
Time Travel Position: 3D851D:1E10
eax=00000001 ebx=ba1bd3c4 ecx=fffffe5b edx=b02cefc8 esi=fffffe5b edi=9e104570
eip=6d71ffb3 esp=00afb7f4 ebp=00afb81c iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000286
CoolType!CTGetVersion+0xc5533:
6d71ffb3 0f8db8010000 jge CoolType!CTGetVersion+0xc56f1 (6d720171) [br=0] ;<----------------------- (14)
[..]
:000> p
Time Travel Position: 3D851D:1E16
eax=af9f2ff0 ebx=ba1bd3c4 ecx=af8e0fe8 edx=b02cefc8 esi=fffffe5b edi=9e104570
eip=6d71ffd5 esp=00afb7f4 ebp=00afb81c iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
CoolType!CTGetVersion+0xc5555:
6d71ffd5 85c0 test eax,eax
0:000> p
Time Travel Position: 3D851D:1E17
eax=af9f2ff0 ebx=ba1bd3c4 ecx=af8e0fe8 edx=b02cefc8 esi=fffffe5b edi=9e104570
eip=6d71ffd7 esp=00afb7f4 ebp=00afb81c iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000286
CoolType!CTGetVersion+0xc5557:
6d71ffd7 0f8494010000 je CoolType!CTGetVersion+0xc56f1 (6d720171) [br=0]
0:000> p
Time Travel Position: 3D851D:1E18
eax=af9f2ff0 ebx=ba1bd3c4 ecx=af8e0fe8 edx=b02cefc8 esi=fffffe5b edi=9e104570
eip=6d71ffdd esp=00afb7f4 ebp=00afb81c iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000286
CoolType!CTGetVersion+0xc555d:
6d71ffdd 83bf4402000000 cmp dword ptr [edi+244h],0 ds:002b:9e1047b4=b6debfe0
0:000> p
Time Travel Position: 3D851D:1E19
eax=af9f2ff0 ebx=ba1bd3c4 ecx=af8e0fe8 edx=b02cefc8 esi=fffffe5b edi=9e104570
eip=6d71ffe4 esp=00afb7f4 ebp=00afb81c iopl=0 nv up ei ng nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000282
CoolType!CTGetVersion+0xc5564:
6d71ffe4 0f8487010000 je CoolType!CTGetVersion+0xc56f1 (6d720171) [br=0]
0:000> p
Time Travel Position: 3D851D:1E1A
eax=af9f2ff0 ebx=ba1bd3c4 ecx=af8e0fe8 edx=b02cefc8 esi=fffffe5b edi=9e104570
eip=6d71ffea esp=00afb7f4 ebp=00afb81c iopl=0 nv up ei ng nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000282
CoolType!CTGetVersion+0xc556a:
6d71ffea c1e604 shl esi,4 ;<----------------------- (15)
0:000> p
Time Travel Position: 3D851D:1E1B
eax=af9f2ff0 ebx=ba1bd3c4 ecx=af8e0fe8 edx=b02cefc8 esi=ffffe5b0 edi=9e104570
eip=6d71ffed esp=00afb7f4 ebp=00afb81c iopl=0 nv up ei ng nz na po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000283
CoolType!CTGetVersion+0xc556d:
6d71ffed 03f0 add esi,eax ;<----------------------- (16)
0:000> dd eax
af9f2ff0 00000000 c0c00008 b64cfff0 c0c0c0c0
af9f3000 ???????? ???????? ???????? ????????
af9f3010 ???????? ???????? ???????? ????????
af9f3020 ???????? ???????? ???????? ????????
af9f3030 ???????? ???????? ???????? ????????
af9f3040 ???????? ???????? ???????? ????????
af9f3050 ???????? ???????? ???????? ????????
af9f3060 ???????? ???????? ???????? ????????
The buffer examined at (7) contains the second PrivateDICT. Bytes within PrivateDICT pass through a switch condition; if they do not match the operator value, they are decoded as operands using the logic defined in the decode_integer function. The first decoded operand value is 0xfffffe5b, as observed at (8). The first operator value is 0x16, present in the register edi, indicating the operator type is vsindex, as seen at (9). At (10), the first decoded operand is passed to the register and later saved as ivd at (11).
At (13), esi contains ivd, and eax holds the value of itemVariationDataCount. The jump at (14) does not occur due to the signed comparison failing. Later, at (15), ivd is used as an index to calculate the offset and is appended to the vulnerable buffer at (16). Accessing this buffer results in an out-of-bounds read, which can be observed at the time of the crash.
0:000> p
(12b8.a78): Access violation - code c0000005 (first/second chance not available)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
Time Travel Position: 3D851E:0
eax=af9f2ff0 ebx=ba1bd3c4 ecx=af8e0fe8 edx=b02cefc8 esi=af9f15a0 edi=9e104570
eip=6d71fff2 esp=00afb7f4 ebp=00afb81c iopl=0 nv up ei ng nz na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000287
CoolType!CTGetVersion+0xc5572:
6d71fff2 0fb74604 movzx eax,word ptr [esi+4] ds:002b:af9f15a4=????
0:000> dd af9f15a4
af9f15a4 ???????? ???????? ???????? ????????
af9f15b4 ???????? ???????? ???????? ????????
af9f15c4 ???????? ???????? ???????? ????????
af9f15d4 ???????? ???????? ???????? ????????
af9f15e4 ???????? ???????? ???????? ????????
af9f15f4 ???????? ???????? ???????? ????????
af9f1604 ???????? ???????? ???????? ????????
af9f1614 ???????? ???????? ???????? ????????
0:000> u
CoolType!CTGetVersion+0xc5572:
6d71fff2 0fb74604 movzx eax,word ptr [esi+4]
6d71fff6 40 inc eax
6d71fff7 894114 mov dword ptr [ecx+14h],eax
6d71fffa 8b8328920000 mov eax,dword ptr [ebx+9228h]
6d720000 8b4014 mov eax,dword ptr [eax+14h]
6d720003 c1e002 shl eax,2
6d720006 50 push eax
6d720007 e8ca5be5ff call CoolType!CTInit+0x2556 (6d575bd6)
0:000> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 00afb81c 6d724241 9e104570 00000002 b6e177e0 CoolType!CTGetVersion+0xc5572
01 00afb83c 6d722bba 9e104570 b6e177e4 00000000 CoolType!CTGetVersion+0xc97c1
02 00afb864 6d6256e4 9e104570 00000001 00afbe30 CoolType!CTGetVersion+0xc813a
03 00afb8a0 6d5a2abe a47accac 00000001 00afbe30 CoolType!CTCleanup+0x4fc94
04 00afbbcc 6d5a12f0 00afbc60 00000001 00afbe20 CoolType!CTInit+0x2f43e
05 00afc6e0 6d59f95d 00000001 00000000 00000000 CoolType!CTInit+0x2dc70
06 00afc7b8 6d59eccd ae264da8 00000032 00afc88c CoolType!CTInit+0x2c2dd
07 00afd118 6d59e368 af3c68fc 00afd14c 48e4e71b CoolType!CTInit+0x2b64d
08 00afd474 6d59e27c af3c68fc af3c68e4 48e4e7df CoolType!CTInit+0x2ace8
09 00afd4b0 6daaa9a1 b1e78f30 af3c68fc af3c68e4 CoolType!CTInit+0x2abfc
0a 00afd4c4 6da6ea3e af3c68e4 6da6e880 98e18f30 AGM!AGMInitialize+0x50541
0b 00afd4d8 6da6e147 98e18f3c 6df01a50 00000001 AGM!AGMInitialize+0x145de
0c 00afd4fc 6daa9f98 00afd528 00afd544 00afd564 AGM!AGMInitialize+0x13ce7
0d 00afd510 6daa9fc4 00000001 26c00b34 00000000 AGM!AGMInitialize+0x4fb38
0e 00afd5c4 72597c55 08b510bc 00000000 00afd5ec AGM!AGMInitialize+0x4fb64
0f 00afd624 6daa9809 af3c6820 00afd6ec 3ab3a740 verifier!AVrfpDphExitHeapPath+0x15
10 00afd690 6daa8957 00afd79c af3c6820 00afd6ec AGM!AGMInitialize+0x4f3a9
11 00afd7b4 6e4f31c1 00afd824 9be36fcc a413cfe0 AGM!AGMInitialize+0x4e4f7
12 00afd828 6e4f306b 00afd9d0 a413cfe0 00afda64 AcroRd32!DllCanUnloadNow+0x1d8f21
13 00afd8a0 6e52d494 00afd9d0 a413cfe0 00afda64 AcroRd32!DllCanUnloadNow+0x1d8dcb
14 00afdbe0 6e528620 b0145000 00afdde0 6e528620 AcroRd32!DllCanUnloadNow+0x2131f4
15 00afddd8 6e52801e a4054a60 6e52801e 00afddf4 AcroRd32!DllCanUnloadNow+0x20e380
16 00afde34 6e524d9d 00afdedc a3c30f68 00000000 AcroRd32!DllCanUnloadNow+0x20dd7e
17 00afdf04 6e4ec84b fdf47bed a445ef78 00000000 AcroRd32!DllCanUnloadNow+0x20aafd
18 00afdfc0 6e518bfa 00000001 00000000 00000000 AcroRd32!DllCanUnloadNow+0x1d25ab
19 00afe010 6e50c10c a445ef78 00000001 00000000 AcroRd32!DllCanUnloadNow+0x1fe95a
1a 00afe190 6e50b734 a3554d88 6e50b734 a3554dbc AcroRd32!DllCanUnloadNow+0x1f1e6c
1b 00afe200 6e50867f fdf446ad 00000000 00000000 AcroRd32!DllCanUnloadNow+0x1f1494
1c 00afe280 6e50837d b1dfcef0 5f03ef40 a2728eb0 AcroRd32!DllCanUnloadNow+0x1ee3df
1d 00afe2bc 6e50827c b1dfcef0 5f03ef40 a2728eb0 AcroRd32!DllCanUnloadNow+0x1ee0dd
1e 00afe344 6e505d8f b1dfcef0 5f03ef40 00afe568 AcroRd32!DllCanUnloadNow+0x1edfdc
1f 00afe380 6e504664 b1dfcef0 5f03ef40 00afe568 AcroRd32!DllCanUnloadNow+0x1ebaef
20 00afe644 6e5032d8 b1dfcef0 00afe6d8 00afe728 AcroRd32!DllCanUnloadNow+0x1ea3c4
21 00afe748 6e5026cb b1dfcef0 00afe870 00000000 AcroRd32!DllCanUnloadNow+0x1e9038
22 00afe894 6e50152a b1dfcef0 00afe9ec 00000000 AcroRd32!DllCanUnloadNow+0x1e842b
23 00afe8f4 6e5012c5 b1dfcef0 00afe9ec 00000000 AcroRd32!DllCanUnloadNow+0x1e728a
24 00afe974 6e4fd6ef b1dfcef0 00afe9ec 00000000 AcroRd32!DllCanUnloadNow+0x1e7025
25 00afea38 6e4fd092 00000001 00000000 fdf44eb9 AcroRd32!DllCanUnloadNow+0x1e344f
26 00afea94 6e4fce38 b43c4ef0 00000001 fdf44ed5 AcroRd32!DllCanUnloadNow+0x1e2df2
27 00afeaf8 6e4fcbf1 00afebec fdf44821 5e4cef68 AcroRd32!DllCanUnloadNow+0x1e2b98
28 00afec0c 6e3537cd 0000000f 6e3536f0 5e4cef68 AcroRd32!DllCanUnloadNow+0x1e2951
29 00afec24 6e353679 0000000f 00000000 00000000 AcroRd32!DllCanUnloadNow+0x3952d
2a 00afec44 76d915eb 000408ac 0000000f 00000000 AcroRd32!DllCanUnloadNow+0x393d9
2b 00afec70 76d87cda 6e3535b0 000408ac 0000000f USER32!_InternalCallWinProc+0x2b
2c 00afed58 76d878f0 6e3535b0 00000000 0000000f USER32!UserCallWinProcCheckWow+0x33a
2d 00afedbc 76d8bdaf 0b0df640 00000000 0000000f USER32!DispatchClientMessage+0x190
2e 00afedf8 774c56cd 00afee14 00000020 00afee84 USER32!__fnDWORD+0x3f
2f 00afee30 76d866b8 00afeed4 91916c60 00afeed4 ntdll!KiUserCallbackDispatcher+0x4d
30 00afee94 76d860b0 0000000f 00afeeb8 6e36944a USER32!DispatchMessageWorker+0x5f8
31 00afeea0 6e36944a 00afeed4 354b5d88 354b5d88 USER32!DispatchMessageW+0x10
32 00afeeb8 6e3691fe 00afeed4 fdf44b01 354b5d88 AcroRd32!DllCanUnloadNow+0x4f1aa
33 00afef2c 6e3690a4 fdf44b49 354b5d88 00000000 AcroRd32!DllCanUnloadNow+0x4ef5e
34 00afef64 6e2dc39f fdf44bf5 1f1acf40 00000000 AcroRd32!DllCanUnloadNow+0x4ee04
35 00afefd8 6e2dbddc 6dfa0000 00e40000 1f1acf40 AcroRd32!AcroWinMainSandbox+0x74f
36 00aff3fc 0101a615 6dfa0000 00e40000 1f1acf40 AcroRd32!AcroWinMainSandbox+0x18c
37 00aff84c 01093c5a 00e40000 00000000 08b73e60 AcroRd32_exe!CreateCoreWebview2EnvironmentSandbox+0x113c55
38 00aff898 76b7fcc9 00993000 76b7fcb0 00aff904 AcroRd32_exe!AcroRd32IsBrokerProcess+0x1bc7a
39 00aff8a8 774b82ae 00993000 b7f5d512 00000000 KERNEL32!BaseThreadInitThunk+0x19
3a 00aff904 774b827e ffffffff 774d932d 00000000 ntdll!__RtlUserThreadStart+0x2f
3b 00aff914 00000000 01016580 00993000 00000000 ntdll!_RtlUserThreadStart+0x1b
Using this vulnerability, it is possible to read arbitrary memory of the process. Because of complex interactions between PDF reader and font subcomponents, especially in the presence of a JavaScript engine, it is possible that sensitive contents of arbitrary memory could be disclosed, which could aid in further exploitation and exploit mitigation bypass.
2025-03-31 - Vendor Disclosure
2025-06-10 - Vendor Patch Release
2025-06-11 - Public Release
Discovered by KPC of Cisco Talos.