Skip to main content

Adobe DNG SDK EUVDEUVD-2026-37133

| CVE-2026-47964 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-06-16 adobe GHSA-gjjx-fhhm-r5cv
7.8
CVSS 3.1 · Vendor: adobe
Share

Severity by source

Vendor (adobe) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local file-parsing flaw requiring the victim to open a malicious DNG (AV:L, UI:R), no prior auth needed (PR:N), and code executes with full user-context CIA impact.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (adobe).

CVSS VectorVendor: adobe

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 18:57 vuln.today

DescriptionCVE.org

DNG SDK versions 1.7.1 2536 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

AnalysisAI

Heap-based buffer overflow in Adobe DNG SDK versions 1.7.1 (build 2536) and earlier enables arbitrary code execution in the context of the current user when a victim opens a maliciously crafted DNG file. The flaw affects any application or workflow that links the DNG SDK for parsing Digital Negative raw image files, and no public exploit identified at time of analysis. With a CVSS 7.8 (AV:L/UI:R) and user-interaction requirement, exploitation is realistic via social-engineered file delivery rather than remote network attack.

Technical ContextAI

The Adobe DNG (Digital Negative) Software Development Kit is a C++ library distributed by Adobe to enable third-party imaging applications, RAW converters, and camera tooling to read, write, and validate DNG files - an open raw-image container based on TIFF/EP. CWE-122 (Heap-Based Buffer Overflow) indicates the SDK allocates a heap buffer whose size is derived from attacker-controlled fields in a malformed DNG/TIFF structure (likely an image strip, tile, metadata IFD entry, or thumbnail) and then writes past the allocation while parsing. Because the SDK is consumed by many downstream products (Adobe Camera Raw, Lightroom, DNG Converter, and any OEM/third-party tools embedding the library), the bug surface extends to every application statically or dynamically linked against the vulnerable SDK version, as expressed by the wildcard CPE cpe:2.3:a:adobe:dng_sdk:*.

RemediationAI

Patch available per vendor advisory: upgrade the Adobe DNG SDK to the version published in APSB26-67 (https://helpx.adobe.com/security/products/dng-sdk/apsb26-67.html) and rebuild any downstream applications that embed the SDK; the exact fixed SDK build number is not enumerated in the provided intelligence and should be confirmed from that advisory. End users of Adobe products (Camera Raw, Lightroom, DNG Converter) should apply the corresponding Adobe Creative Cloud updates that ship the rebuilt SDK. Where immediate patching is not possible, compensating controls include blocking inbound .dng attachments at the mail gateway (side effect: blocks legitimate photographer workflows), training users not to open DNG files from untrusted sources, and running RAW-processing applications under a standard (non-admin) user with attack-surface reduction or application-sandboxing (e.g., Windows AppContainer, macOS App Sandbox) to limit blast radius if the overflow is triggered.

Share

EUVD-2026-37133 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy