Description
Lightroom Desktop versions 15.1 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-02-10
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Code Execution
Action: Immediate Patch
AI Analysis

Impact

Lightroom Desktop versions 15.1 and earlier contain an out-of-bounds write that allows an attacker to overwrite memory and execute arbitrary code within the context of the user who opens a crafted file. The vulnerability is a classic buffer overflow (CWE‑787) and can lead to a full compromise of the affected system if exploited successfully.

Affected Systems

Adobe Lightroom Desktop (classic) 15.1 and earlier are impacted. The vulnerability applies to all operating systems supported by the desktop application where the affected version is installed.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.8, reflecting high impact but medium severity. EPSS is below 1%, indicating a low probability of real-world exploitation at current time, and the issue is not listed in the CISA KEV catalog. Exploitation requires user interaction; an attacker must deliver a malicious file and convince a user to open it. Once executed, the attacker can gain arbitrary code execution privileges matching the user’s account level.

Generated by OpenCVE AI on April 18, 2026 at 12:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Adobe Lightroom Desktop to the latest available version (15.2 or newer) to remove the out‑of‑bounds write flaw.
  • If an upgrade is not immediately possible, avoid opening unknown or suspicious Lightroom catalog or sidecar files and enforce a strict file‑opening policy for users.
  • Apply current antivirus signatures and real‑time protection to detect and block known malicious Lightroom file patterns and monitor for abnormal memory‑write activity.

Generated by OpenCVE AI on April 18, 2026 at 12:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe lightroom
CPEs cpe:2.3:a:adobe:lightroom:*:*:*:*:classic:*:*:*
Vendors & Products Adobe lightroom

Tue, 10 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe lightroom Desktop
Vendors & Products Adobe
Adobe lightroom Desktop

Tue, 10 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
Description Lightroom Desktop versions 15.1 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Lightroom Desktop | Out-of-bounds Write (CWE-787)
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Adobe Lightroom Lightroom Desktop
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-02-26T14:44:28.867Z

Reserved: 2025-12-12T22:01:18.204Z

Link: CVE-2026-21349

cve-icon Vulnrichment

Updated: 2026-02-10T20:07:40.845Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T20:16:55.590

Modified: 2026-02-19T17:50:30.293

Link: CVE-2026-21349

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T12:45:45Z

Weaknesses