Impact
Adobe DNG SDK versions 1.7.1 2536 and earlier contain an out‑of‑bounds read that can leak sensitive information from memory. When a malicious DNG file is opened, the flaw allows an attacker to read arbitrary memory contents, potentially revealing confidential data. The vulnerability does not provide direct code execution, but it exposes the application to data disclosure that could be leveraged for further attacks.
Affected Systems
Adobe DNG SDK 1.7.1 2536 and all earlier releases are impacted. Any system or application that parses DNG files using these SDK versions is susceptible to the read exploit.
Risk and Exploitability
The CVSS score of 5.5 classifies this issue as moderate severity, while the EPSS score of less than 1% indicates a very low real‑world exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires user interaction— a victim must open a malicious file—so its reach is limited to environments that process potentially untrusted DNG content.
OpenCVE Enrichment