Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
DNG SDK versions 1.7.1 2502 and earlier are affected by an out-of-bounds write vulnerability that could lead to application denial-of-service. An attacker could leverage this vulnerability to corrupt memory, causing the application to crash or become unresponsive. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
AnalysisAI
Out-of-bounds write in Adobe DNG SDK 1.7.1 2502 and earlier causes application denial-of-service through memory corruption when processing malicious DNG files. The vulnerability requires user interaction (opening a crafted file) and affects local attackers on systems where DNG SDK is deployed; no public exploit code or active exploitation has been confirmed at time of analysis.
Technical ContextAI
DNG SDK is Adobe's Digital Negative format library used for processing RAW image files. The vulnerability (CWE-787: Out-of-bounds Write) occurs in memory management routines that parse DNG file structures. When a specially crafted DNG file is processed, inadequate bounds checking allows an attacker to write data beyond allocated buffer boundaries, corrupting adjacent memory regions. This memory corruption directly impacts application availability by triggering crashes or hangs. The local attack vector and requirement for user interaction (opening the malicious file) limit the exposure model compared to remote vulnerabilities, but the out-of-bounds write class remains a serious memory safety issue.
RemediationAI
Update Adobe DNG SDK to version 1.7.2 or later; consult the official Adobe security advisory APSB26-41 at https://helpx.adobe.com/security/products/dng-sdk/apsb26-41.html for exact patched release availability and download instructions. For applications embedding DNG SDK, coordinate dependency updates with software release cycles to ensure patched versions are deployed. Until patching is complete, restrict opening of DNG files from untrusted sources and implement file type validation on input. No vendor-documented workarounds are available; patching is the primary remediation path.
Heap-based buffer overflow in Adobe DNG SDK versions 1.7.1 (build 2536) and earlier enables arbitrary code execution in
Out-of-bounds read in Adobe DNG SDK 1.7.1 build 2536 and earlier exposes sensitive process memory when a victim opens a
Out-of-bounds memory read in Adobe DNG SDK 1.7.1 build 2536 and earlier enables sensitive process memory disclosure when
Out-of-bounds read in Adobe DNG SDK 1.7.1 build 2536 and earlier exposes sensitive process memory contents when a victim
Null Pointer Dereference in Adobe DNG SDK versions 1.7.1 build 2536 and earlier allows an attacker to crash any applicat
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22434
GHSA-85g7-96qr-w5x4