Impact
The vulnerability is an out-of-bounds read in Adobe DNG SDK, identified as CWE-125. It may allow an attacker, through a malicious DNG file, to read data beyond the intended buffer boundaries, potentially exposing sensitive memory contents. This flaw can be used to gain access to confidential information that should remain protected. The primary impact is a breach of confidentiality without an evident escalation of privileges.
Affected Systems
Adobe DNG SDK versions 1.7.1 2536 and earlier are affected. Applications that embed or rely on these SDK versions for handling DNG files are impacted, including any Adobe products or third-party software that integrates the SDK.
Risk and Exploitability
The CVSS score is 5.5, indicating a moderate severity. The EPSS score is under 1%, suggesting a low probability of exploitation. This vulnerability is not listed in the CISA KEV catalog, and no widespread exploitation is known. Attacking this flaw requires user interaction: an attacker must deliver a crafted DNG file that the victim opens, a scenario that could occur via email, file sharing, or malicious downloads.
OpenCVE Enrichment