Description
DNG SDK versions 1.7.1 2410 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-02-10
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution
Action: Immediate Patch
AI Analysis

Impact

An integer overflow or wraparound issue in Adobe DNG SDK versions 1.7.1 2410 and earlier allows an attacker to execute arbitrary code in the context of the current user. The flaw is rooted in CWE‑190 and would let malicious code run with the privileges of the user opening a crafted file, potentially compromising confidentiality and integrity of the local system.

Affected Systems

Adobe DNG SDK 1.7.1 2410 and earlier.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity vulnerability, but the EPSS score of less than 1% denotes a very low probability of exploitation at this time, and the issue is not listed in the CISA KEV catalog. Since exploitation requires the victim to open a malicious file, the attack vector is local user interaction, typically within an application that handles DNG files.

Generated by OpenCVE AI on April 16, 2026 at 17:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Adobe DNG SDK to the latest released version that contains the fix.
  • If an update is not immediately available, restrict the installation or use of DNG files by disabling DNG support in affected applications or enforce strict file‑type validation before opening.
  • Validate incoming DNG files against trusted sources and consider applying vendor‑supplied file‑type whitelisting or sandboxing to mitigate accidental execution.

Generated by OpenCVE AI on April 16, 2026 at 17:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe dng Software Development Kit
CPEs cpe:2.3:a:adobe:dng_software_development_kit:*:*:*:*:*:*:*:*
Vendors & Products Adobe dng Software Development Kit

Tue, 10 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe dng Sdk
Vendors & Products Adobe
Adobe dng Sdk

Tue, 10 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
Description DNG SDK versions 1.7.1 2410 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title DNG SDK | Integer Overflow or Wraparound (CWE-190)
Weaknesses CWE-190
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Adobe Dng Sdk Dng Software Development Kit
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-03-10T18:17:13.897Z

Reserved: 2025-12-12T22:01:18.205Z

Link: CVE-2026-21353

cve-icon Vulnrichment

Updated: 2026-02-10T20:03:31.772Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T19:15:58.373

Modified: 2026-02-13T20:37:33.567

Link: CVE-2026-21353

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:30:25Z

Weaknesses