Description
DNG SDK versions 1.7.1 2471 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-03-10
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution in the context of the current user
Action: Patch
AI Analysis

Impact

An out-of-bounds write flaw exists in Adobe DNG SDK versions 1.7.1 2471 and earlier, allowing a crafted DNG file to overflow a buffer during processing. The overflow can be triggered when a user opens the malicious file, leading to the execution of attacker‑controlled code with the privileges of the local user. This vulnerability is a classic example of CWE‑787, a memory corruption weakness that permits arbitrary code execution.

Affected Systems

Adobe DNG SDK, versions 1.7.1 2471 and all earlier releases. The issue is present in the software development kit used to parse DNG images and is vendor‑specific to Adobe.

Risk and Exploitability

The CVSS score of 7.8 reflects a moderate to high severity, while the EPSS score of less than 1% indicates a very low likelihood of exploitation in the wild. The attack requires user interaction: a victim must open a malicious DNG file, which reduces the opportunistic exploitation probability. The vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed widespread attacks yet, but the potential for arbitrary code execution warrants attention.

Generated by OpenCVE AI on April 16, 2026 at 03:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Adobe DNG SDK to a release newer than version 1.7.1 2471 that contains the official fix.
  • Verify that all DNG files opened by the application originate from trusted sources; consider implementing a whitelist or source‑validation step before processing.
  • Run any application that handles DNG files under reduced privileges or in a sandboxed environment to limit the impact of a potential exploit.

Generated by OpenCVE AI on April 16, 2026 at 03:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe dng Software Development Kit
CPEs cpe:2.3:a:adobe:dng_software_development_kit:*:*:*:*:*:*:*:*
Vendors & Products Adobe dng Software Development Kit

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe dng Sdk
Vendors & Products Adobe
Adobe dng Sdk

Tue, 10 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
Description DNG SDK versions 1.7.1 2471 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title DNG SDK | Out-of-bounds Write (CWE-787)
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Adobe Dng Sdk Dng Software Development Kit
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-03-11T03:57:16.020Z

Reserved: 2026-02-18T22:02:41.389Z

Link: CVE-2026-27280

cve-icon Vulnrichment

Updated: 2026-03-10T18:38:31.641Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T19:17:20.250

Modified: 2026-03-12T17:07:05.040

Link: CVE-2026-27280

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:45:16Z

Weaknesses