Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Local file-parsing flaw requiring the victim to open a malicious DNG (AV:L, UI:R), no prior auth needed (PR:N), and code executes with full user-context CIA impact.
Primary rating from Vendor (adobe).
CVSS VectorVendor: adobe
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
DNG SDK versions 1.7.1 2536 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
AnalysisAI
Heap-based buffer overflow in Adobe DNG SDK versions 1.7.1 (build 2536) and earlier enables arbitrary code execution in the context of the current user when a victim opens a maliciously crafted DNG file. The flaw affects any application or workflow that links the DNG SDK for parsing Digital Negative raw image files, and no public exploit identified at time of analysis. With a CVSS 7.8 (AV:L/UI:R) and user-interaction requirement, exploitation is realistic via social-engineered file delivery rather than remote network attack.
Technical ContextAI
The Adobe DNG (Digital Negative) Software Development Kit is a C++ library distributed by Adobe to enable third-party imaging applications, RAW converters, and camera tooling to read, write, and validate DNG files - an open raw-image container based on TIFF/EP. CWE-122 (Heap-Based Buffer Overflow) indicates the SDK allocates a heap buffer whose size is derived from attacker-controlled fields in a malformed DNG/TIFF structure (likely an image strip, tile, metadata IFD entry, or thumbnail) and then writes past the allocation while parsing. Because the SDK is consumed by many downstream products (Adobe Camera Raw, Lightroom, DNG Converter, and any OEM/third-party tools embedding the library), the bug surface extends to every application statically or dynamically linked against the vulnerable SDK version, as expressed by the wildcard CPE cpe:2.3:a:adobe:dng_sdk:*.
RemediationAI
Patch available per vendor advisory: upgrade the Adobe DNG SDK to the version published in APSB26-67 (https://helpx.adobe.com/security/products/dng-sdk/apsb26-67.html) and rebuild any downstream applications that embed the SDK; the exact fixed SDK build number is not enumerated in the provided intelligence and should be confirmed from that advisory. End users of Adobe products (Camera Raw, Lightroom, DNG Converter) should apply the corresponding Adobe Creative Cloud updates that ship the rebuilt SDK. Where immediate patching is not possible, compensating controls include blocking inbound .dng attachments at the mail gateway (side effect: blocks legitimate photographer workflows), training users not to open DNG files from untrusted sources, and running RAW-processing applications under a standard (non-admin) user with attack-surface reduction or application-sandboxing (e.g., Windows AppContainer, macOS App Sandbox) to limit blast radius if the overflow is triggered.
Out-of-bounds read in Adobe DNG SDK 1.7.1 build 2536 and earlier exposes sensitive process memory when a victim opens a
Out-of-bounds memory read in Adobe DNG SDK 1.7.1 build 2536 and earlier enables sensitive process memory disclosure when
Out-of-bounds read in Adobe DNG SDK 1.7.1 build 2536 and earlier exposes sensitive process memory contents when a victim
Null Pointer Dereference in Adobe DNG SDK versions 1.7.1 build 2536 and earlier allows an attacker to crash any applicat
Out-of-bounds write in Adobe DNG SDK 1.7.1 2502 and earlier causes application denial-of-service through memory corrupti
Same weakness CWE-122 – Heap-based Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37133
GHSA-gjjx-fhhm-r5cv