Adobe Framemaker versions 2022.8 and earlier contain an out‑of‑bounds read vulnerability that can be triggered when the application parses a specially crafted file. The read past the end of an allocated memory structure can lead to execution of arbitrary code in the context of the user who opens the file. The primary impact is therefore the possibility of code execution with the user’s privileges, potentially allowing an attacker to compromise the host system. The vulnerability is a classic memory corruption flaw categorized as CWE‑125.

Adobe Framemaker is the affected product. Versions 2022.8 and all earlier releases are susceptible to the flaw. Any installation of Adobe Framemaker published before the issuance of the Adobe Security Advisory for APSB26‑36 is considered insecure and should be updated. The advisory does not list newer releases as affected.

The base score assigned by the Common Vulnerability Scoring System is 7.8, indicating a high severity. The Exploit Prediction Scoring System score is not available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack requires user interaction; a victim must open a malicious file for the vulnerability to be exercised. This limitation reduces the likelihood of widespread automated exploitation but still poses a significant threat in environments where users routinely handle untrusted documents. The vulnerability can be leveraged by an attacker who can deliver or trick a user into opening a crafted file, resulting in arbitrary code execution with the user’s rights.