Description
DNG SDK versions 1.7.1 2410 and earlier are affected by an out-of-bounds read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-02-10
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data Exposure
Action: Update Software
AI Analysis

Impact

An out-of-bounds read flaw exists in the Adobe DNG SDK that lets a malicious file cause the software to read memory beyond a valid buffer, potentially exposing sensitive data. The vulnerability is classified as CWE-125 and leads to disclosure of confidential information. This is not a code execution or denial‑of‑service fault, but it can leak secrets held in the target process memory.

Affected Systems

Adobe Digital Negative Software Development Kit versions 1.7.1, 2410, and earlier are affected. All installations that compile or use these SDK binaries are potentially vulnerable if they process external DNG files.

Risk and Exploitability

The CVSS base score of 5.5 indicates moderate severity, and the EPSS value of less than 1% suggests a low likelihood of widespread exploitation at this time. The flaw is not listed in the CISA KEV catalog, implying no confirmed widely‑used exploits as of now. An attacker must provide a malicious DNG file and convince a user to open it, so the attack vector is user‑interaction‑dependent and likely limited to workstations or devices that handle DNG content.

Generated by OpenCVE AI on April 16, 2026 at 17:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest version of the Adobe DNG SDK that removes the out‑of‑bounds read vulnerability.
  • Avoid opening unknown or untrusted DNG files and enforce strict file‑type validation wherever possible.
  • Disable or remove the DNG SDK component from systems that do not require DNG support to eliminate the attack surface.

Generated by OpenCVE AI on April 16, 2026 at 17:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe dng Software Development Kit
CPEs cpe:2.3:a:adobe:dng_software_development_kit:*:*:*:*:*:*:*:*
Vendors & Products Adobe dng Software Development Kit

Tue, 10 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe dng Sdk
Vendors & Products Adobe
Adobe dng Sdk

Tue, 10 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
Description DNG SDK versions 1.7.1 2410 and earlier are affected by an out-of-bounds read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title DNG SDK | Out-of-bounds Read (CWE-125)
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

Adobe Dng Sdk Dng Software Development Kit
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-03-10T18:17:04.996Z

Reserved: 2025-12-12T22:01:18.205Z

Link: CVE-2026-21355

cve-icon Vulnrichment

Updated: 2026-02-10T20:05:27.384Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T19:15:59.503

Modified: 2026-02-13T20:37:41.920

Link: CVE-2026-21355

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:30:25Z

Weaknesses