CVE-2022-24092 - Exploiting an Out-of-Bounds Write in Acrobat Reader DC — Inside the Vulnerability and Example Exploit

Adobe's Acrobat Reader DC is among the world’s most popular PDF viewers, used by millions every day. In 2022, a critical vulnerability – CVE-2022-24092 – was discovered that puts users at risk of arbitrary code execution via a malicious font file. In this post, we’ll break down what this means, how an attacker could exploit it, and walk through a basic Proof of Concept (PoC). All in clear, simple language.

Acrobat 2017 (v17.011.30204 and earlier)

An out-of-bounds write bug means the software writes data outside the memory it's supposed to use – which is dangerous. If an attacker can control what gets written, they might overwrite important data or program flow, potentially making Acrobat run malicious code.

Why Does This Matter?

Attackers love vulnerabilities like this. It lets them trick Acrobat into running anything, including malware – but only if someone opens a malicious PDF first.

**If successful, malware code runs as the victim user.**

User interaction is required: Victims have to open the malicious file for the attack to work.

Diving into the Details

The vulnerable code deals with embedded font handling in PDFs. Adobe PDFs can include custom font programs. When parsing one, there’s a routine that doesn’t properly check size limits, allowing a write past the end of an allocated memory buffer.

Short explanation:
The attacker crafts a font table in the PDF that will cause Acrobat to write outside intended memory, corrupting data structures used by the program itself.

Reference:
- Adobe Security Bulletin APSB22-01
- NIST NVD - CVE-2022-24092

Proof-of-Concept: Malicious PDF with Embedded Font

Below is a *simplified* explanation and example of how such an attack might be triggered. For safety, this demo does not produce a working exploit, but shows the concept.

1. Minimal Malicious PDF Structure

A PDF file is made of objects. To exploit this bug, an attacker would craft a PDF containing a font object with corrupt data.

%PDF-1.4
1  obj
<< /Type /Catalog /Pages 2  R >>
endobj
2  obj
<< /Type /Pages /Kids [3  R] /Count 1 >>
endobj
3  obj
<< /Type /Page /Parent 2  R /MediaBox [  595 842]
   /Resources << /Font << /F1 4  R >> >>
   /Contents 5  R >>
endobj
4  obj
<< /Type /Font /Subtype /Type1 /BaseFont /CustomFont
   /FontDescriptor 6  R
   /Encoding /WinAnsiEncoding
   /FirstChar  /LastChar 255
   /Widths [ 100 100 100 ... ] % normally there are 256 numbers here
>>
endobj
5  obj
<< /Length 44 >>
stream
BT
/F1 24 Tf
100 700 Td
(This is a test) Tj
ET
endstream
endobj
6  obj
<<
  /Type /FontDescriptor
  /FontName /CustomFont
  /Flags 4
  /FontBBox [ -200 100 900]
  /FontFile 7  R
>>
endobj
7  obj
<< /Length 20 >>
stream
% Maliciously crafted binary font data here
endstream
endobj
xref
 8
000000000 65535 f
...
trailer
<< /Size 8 /Root 1  R >>
startxref
...
%%EOF

What’s dangerous here:
The /FontFile stream (object 7) would contain a malicious font in reality – say, a Type 1 or CFF font file with invalid length/data. The exploit is in how Acrobat parses this.

2. Crafting the Malicious Font Data

Real exploits craft binary font files with fields like *length* or *glyph count* set to very large or negative numbers, making Acrobat write past allocated buffers. An attacker would assemble or patch a font like this:

# Pseudocode: Patch a CFF font's 'nGlyphs' to a huge value to try to overflow
with open('benign.cff', 'rb') as f:
    font = bytearray(f.read())

# Let's say, at offset x44, the number of glyphs is stored
font[x44:x46] = b'\xFF\xFF'  # Set nGlyphs to 65535, or a signed negative as needed

with open('malicious.cff', 'wb') as f:
    f.write(font)

3. Embedding the Malicious Font into the PDF

Once the font is modified, it would be base64-embedded into the /FontFile stream above.

<< /Length 568 >>
stream
<binary font data here>
endstream

Acrobat, parsing this, would overflow during font table handling, leading to arbitrary code execution if the rest of memory layout is predictable.

Trigger: User opens PDF; Acrobat processes font and triggers overflow.

- Payload: shellcode (like reverse shell or malware downloader) is loaded into memory and executed.

Mitigations:

Update Acrobat Reader as soon as possible.

- Use OS-level protections like DEP/ASLR.

How to Stay Safe

- Update: Download latest Adobe Acrobat Reader DC. Make sure you’re on a version newer than:

References

- Adobe Security Bulletin APSB22-01
- NIST NVD: CVE-2022-24092
- Exploit Database: CVE-2022-24092 Proof-of-Concept (for educational use only!)

Closing Thoughts

CVE-2022-24092 is a great example of how one bug – just an out-of-bounds write in font parsing – can endanger millions. The main lesson: Keep your PDF reader patched, and never trust random PDFs, even from people you know. Attackers only need you to click once.

If you found this writeup helpful, share it to help others stay safe!

Timeline

Published on: 03/18/2022 18:15:00 UTC
Last modified on: 03/25/2022 19:40:00 UTC

Acrobat 2017 (v17.011.30204 and *earlier*)