Miniaudio and Adobe Acrobat Reader vulnerabilities

Thursday, March 13, 2025 14:23

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed a Miniaudio and three Adobe vulnerabilities.

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.

**Miniaudio out-of-bounds write vulnerability **

Discovered by Emmanuel Tacheau of Cisco Talos.

TALOS-2024-2063 (CVE-2024-41147) is an out-of-bounds write vulnerability in Miniaudio, a lightweight, single-file audio playback and capture library written in C. A missing allocation size check can cause a buffer overflow, leading to this out-of-bounds write. This vulnerability can be triggered by a specially crafted FLAC file, resulting in a memory corruption when in playback mode. The application sends raw audio data to Miniaudio, which is then played back through the default playback device as defined by the operating system.

**Adobe Acrobat out-of-bounds write vulnerability **

Discovered by KPC of Cisco Talos.

TALOS-2025-2134 (CVE-2025-27163) and TALOS-2025-2136 (CVE-2025-27164) are out-of-bounds read vulnerabilities in the font functionality, which can lead to disclosure of sensitive information. TALOS-2025-2135 (CVE-2025-27158) is a memory corruption vulnerability, stemming from an uninitialized pointer in the font functionality of Adobe Acrobat, which can potentially lead to arbitrary code execution. A specially crafted font file embedded into a PDF can trigger these vulnerabilities. An attacker needs to trick the user into opening a malicious file.