Skip to main content

Adobe DNG SDK CVE-2026-47927

| EUVDEUVD-2026-37132 MEDIUM
Out-of-bounds Read (CWE-125)
2026-06-16 adobe GHSA-q57c-73r4-6g5h
5.5
CVSS 3.1 · Vendor: adobe
Share

Severity by source

Vendor (adobe) PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
vuln.today AI
5.5 MEDIUM

File-based local attack (AV:L, UI:R) with no attacker privileges needed (PR:N); impact is memory disclosure only (C:H, I:N, A:N), unchanged scope.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (adobe).

CVSS VectorVendor: adobe

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 19:10 vuln.today

DescriptionCVE.org

DNG SDK versions 1.7.1 2536 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to disclose sensitive information. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

AnalysisAI

Out-of-bounds read in Adobe DNG SDK 1.7.1 build 2536 and earlier exposes sensitive process memory contents when a victim opens a specially crafted DNG image file. The attacker requires no privileges of their own - the attack surface is entirely dependent on social engineering a user into opening a malicious file processed by any application embedding the vulnerable SDK. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malformed DNG file with invalid buffer offset
Delivery
Deliver file to victim via phishing or malicious download
Exploit
Victim opens file in DNG SDK-based application
Execution
SDK parser performs out-of-bounds read beyond allocated buffer
Impact
Sensitive process memory contents disclosed

Vulnerability AssessmentAI

Exploitation Exploitation requires that a victim user actively opens a specially crafted DNG file using an application built on Adobe DNG SDK version 1.7.1 build 2536 or earlier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 5.5 (Medium) correctly reflects the constrained attack model: AV:L limits the vector to local file access, UI:R mandates victim interaction, and the impact triad of C:H/I:N/A:N confirms disclosure-only with no execution or denial-of-service capability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a DNG image file with a malformed offset or length field in its structure, designed to cause the DNG SDK parser to read beyond the intended buffer boundary. The file is delivered to a target via phishing email, a malicious download link, or a compromised file-sharing service, and the victim opens it in a photo editing or DAM application built on the vulnerable SDK. …
Remediation Adobe has published security advisory APSB26-67 at https://helpx.adobe.com/security/products/dng-sdk/apsb26-67.html, which should be consulted for the exact patched SDK version, as the available input data does not independently confirm the specific fixed build number beyond the vulnerable ceiling of version 1.7.1 build 2536. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-47927 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy