Description
DNG SDK versions 1.7.1 2536 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to disclose sensitive information. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-06-16
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an out-of-bounds read in Adobe DNG SDK, identified as CWE-125. It may allow an attacker, through a malicious DNG file, to read data beyond the intended buffer boundaries, potentially exposing sensitive memory contents. This flaw can be used to gain access to confidential information that should remain protected. The primary impact is a breach of confidentiality without an evident escalation of privileges.

Affected Systems

Adobe DNG SDK versions 1.7.1 2536 and earlier are affected. Applications that embed or rely on these SDK versions for handling DNG files are impacted, including any Adobe products or third-party software that integrates the SDK.

Risk and Exploitability

The CVSS score is 5.5, indicating a moderate severity. The EPSS score is under 1%, suggesting a low probability of exploitation. This vulnerability is not listed in the CISA KEV catalog, and no widespread exploitation is known. Attacking this flaw requires user interaction: an attacker must deliver a crafted DNG file that the victim opens, a scenario that could occur via email, file sharing, or malicious downloads.

Generated by OpenCVE AI on June 17, 2026 at 21:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Adobe DNG SDK to version 1.7.1 2537 or later, which contains the out‑of‑bounds read fix.
  • Remove or disable legacy SDK components from applications that handle DNG files to prevent accidental use of the vulnerable code.
  • Implement strict file validation and quarantine procedures before opening DNG files from untrusted sources to mitigate potential attacks.

Generated by OpenCVE AI on June 17, 2026 at 21:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe dng Sdk
Vendors & Products Adobe
Adobe dng Sdk

Tue, 16 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Description DNG SDK versions 1.7.1 2536 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to disclose sensitive information. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title DNG SDK | Out-of-bounds Read (CWE-125)
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-16T18:55:53.377Z

Reserved: 2026-05-20T15:50:31.361Z

Link: CVE-2026-47927

cve-icon Vulnrichment

Updated: 2026-06-16T18:53:50.584Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-16T19:16:56.007

Modified: 2026-06-16T20:41:35.520

Link: CVE-2026-47927

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T21:30:12Z

Weaknesses