CVE-2026-27289 - Vulnerability Details

- Photoshop Desktop | Out-of-bounds Read (CWE-125)

Description

Photoshop Desktop versions 27.4 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Published: 2026-04-14

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An out-of-bounds read in Adobe Photoshop Desktop allows a crafted file to trigger a read past the end of an allocated memory structure. This flaw can be exploited to execute arbitrary code with the privileges of the user who opens the file, effectively leading to remote code execution. The vulnerability is triggered only when a victim opens a malicious file, meaning user interaction is required.

Affected Systems

Adobe Photoshop Desktop versions 27.4 and earlier are affected. All later versions are not impacted. The flaw applies across all platforms that run Photoshop Desktop, as the vendor’s advisory lists the product line rather than specific operating systems.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity. Exploitation requires user interaction, reducing the likelihood of automated attacks, yet the high score and potential to gain code execution make this a serious risk. No exploitation is listed in CISA’s KEV catalog, and no EPSS score is available, so the current exploitation trend is unclear, but the vulnerability remains dangerous until patched.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Adobe

Photoshop Desktop

affected

Version	Status	Constraints
`0`	affected	≤ 27.4

Configuration 1 [-]

AND

cpe:2.3:a:adobe:photoshop:*:*:*:*:*:*:*:*

OR	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

No data.

Vendor Product Confidence Versions

Adobe

Photoshop Desktop

100%

Version	Status	Scheme	Platform
`[0,27.4]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Adobe Photoshop Desktop update that addresses the out-of-bounds read, which is released in version 27.5 or later.
If a patch is not immediately available, avoid opening unknown or suspicious files until the update is applied.
Verify that the update includes a fix for the out-of-bounds read by checking the Adobe security advisory referenced in the CVE entry.

Generated by OpenCVE AI on April 14, 2026 at 20:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00025.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://helpx.adobe.com/security/products/photoshop/apsb26-40.html

History

Wed, 15 Apr 2026 19:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Adobe photoshop Apple Apple macos Microsoft Microsoft windows
CPEs		cpe:2.3:a:adobe:photoshop:::::::: cpe:2.3:o:apple:macos:-:::::::* cpe:2.3:o:microsoft:windows:-:::::::*
Vendors & Products		Adobe photoshop Apple Apple macos Microsoft Microsoft windows

Wed, 15 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Adobe Adobe photoshop Desktop
Vendors & Products		Adobe Adobe photoshop Desktop

Wed, 15 Apr 2026 10:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 14 Apr 2026 19:45:00 +0000

Type	Values Removed	Values Added
Description		Photoshop Desktop versions 27.4 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title		Photoshop Desktop \| Out-of-bounds Read (CWE-125)
Weaknesses		CWE-125
References		https://helpx.adobe.com/security/products/photoshop/apsb26-40.html
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}`

Subscriptions

Adobe Photoshop Photoshop Desktop

Apple Macos

Microsoft Windows

MITRE

Status: PUBLISHED

Assigner: adobe

Published: 2026-04-14T19:36:14.817Z

Updated: 2026-04-15T09:13:12.102Z

Reserved: 2026-02-18T22:02:41.395Z

Link: CVE-2026-27289

Vulnrichment

Updated: 2026-04-15T09:07:39.477Z

NVD

Status : Analyzed

Published: 2026-04-14T20:16:34.140

Modified: 2026-04-15T19:34:54.853

Link: CVE-2026-27289

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T14:53:56Z

Weaknesses

CWE-125

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object