Description
DNG SDK versions 1.7.1 2410 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-02-10
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Code Execution in Current User Context
Action: Immediate Patch
AI Analysis

Impact

An out‑of‑bounds write in Adobe’s DNG SDK allows an attacker who can supply a specially crafted DNG file to overwrite memory beyond allocated buffers. If the write is successful, the attacker can execute arbitrary code with the privileges of the user running the software. The vulnerability is identified as CWE‑787 and requires that a victim opens a malicious file, so it is a user‑interaction–required flaw but still capable of compromising system integrity.

Affected Systems

Adobe DNG SDK versions 1.7.1 or earlier (build 2410 and earlier) are affected. Systems that rely on these SDK versions, such as Adobe applications or any custom integrations embedding the SDK, remain vulnerable until an updated version is deployed.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, and the EPSS score of less than 1% suggests exploitation is currently unlikely but not impossible. Because exploitation requires a user to open a crafted DNG file, the attack vector is a social engineering or supply‑chain approach, potentially through email attachments or compromised software bundles. The vulnerability is not listed in the CISA KEV catalog, so there is no publicly confirmed exploitation at the time of this analysis.

Generated by OpenCVE AI on April 16, 2026 at 17:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Adobe DNG SDK to a version newer than 1.7.1 2410 to remove the out‑of‑bounds write flaw.
  • Disable DNG file processing for untrusted sources or restrict the feature to administratively approved paths only.
  • Implement monitoring and alerts for any attempts to open malicious DNG files, ensuring the vulnerability is not present in your environment.

Generated by OpenCVE AI on April 16, 2026 at 17:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe dng Software Development Kit
CPEs cpe:2.3:a:adobe:dng_software_development_kit:*:*:*:*:*:*:*:*
Vendors & Products Adobe dng Software Development Kit

Tue, 10 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe dng Sdk
Vendors & Products Adobe
Adobe dng Sdk

Tue, 10 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
Description DNG SDK versions 1.7.1 2410 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title DNG SDK | Out-of-bounds Write (CWE-787)
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Adobe Dng Sdk Dng Software Development Kit
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-03-10T18:17:20.915Z

Reserved: 2025-12-12T22:01:18.205Z

Link: CVE-2026-21352

cve-icon Vulnrichment

Updated: 2026-02-10T20:01:55.244Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T19:15:58.107

Modified: 2026-02-13T20:37:27.767

Link: CVE-2026-21352

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:30:25Z

Weaknesses