Skip to main content

Adobe DNG SDK CVE-2026-47964

| EUVDEUVD-2026-37133 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-06-16 adobe GHSA-gjjx-fhhm-r5cv
7.8
CVSS 3.1 · Vendor: adobe
Share

Severity by source

Vendor (adobe) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local file-parsing flaw requiring the victim to open a malicious DNG (AV:L, UI:R), no prior auth needed (PR:N), and code executes with full user-context CIA impact.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (adobe).

CVSS VectorVendor: adobe

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 18:57 vuln.today

DescriptionCVE.org

DNG SDK versions 1.7.1 2536 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

AnalysisAI

Heap-based buffer overflow in Adobe DNG SDK versions 1.7.1 (build 2536) and earlier enables arbitrary code execution in the context of the current user when a victim opens a maliciously crafted DNG file. The flaw affects any application or workflow that links the DNG SDK for parsing Digital Negative raw image files, and no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious DNG file
Delivery
Deliver via phishing or shared storage
Exploit
Victim opens file in DNG-SDK app
Execution
Trigger heap buffer overflow in parser
Persist
Hijack control flow
Impact
Execute arbitrary code as current user

Vulnerability AssessmentAI

Exploitation Requires the victim to open a maliciously crafted DNG (Digital Negative) raw-image file in an application that links Adobe DNG SDK 1.7.1 build 2536 or earlier - this includes Adobe DNG Converter, Camera Raw, Lightroom/Lightroom Classic, and any third-party RAW imaging tool bundling the SDK. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H reflects a classic client-side file-parsing flaw: local attack vector (the file must reach the victim's machine), low complexity, no privileges, but mandatory user interaction (opening the file) - giving full CIA impact in the user's security context. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malformed DNG file with manipulated IFD/strip metadata that triggers the heap overflow during parsing, then delivers it to a target photographer or imaging-workflow user via phishing email, a shared cloud album, or a poisoned stock-image download. When the victim opens the file in Adobe Camera Raw, Lightroom, DNG Converter, or any third-party application linked against the vulnerable SDK, the overflow corrupts heap metadata and yields arbitrary code execution as the logged-in user, enabling credential theft, ransomware staging, or lateral movement. …
Remediation Patch available per vendor advisory: upgrade the Adobe DNG SDK to the version published in APSB26-67 (https://helpx.adobe.com/security/products/dng-sdk/apsb26-67.html) and rebuild any downstream applications that embed the SDK; the exact fixed SDK build number is not enumerated in the provided intelligence and should be confirmed from that advisory. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all applications linked to Adobe DNG SDK versions 1.7.1 (build 2536) and earlier; restrict access to DNG files from external and untrusted sources. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-47964 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy