Impact
The vulnerability is an out-of-bounds read in Adobe DNG SDK versions 1.7.1.2536 and earlier. This flaw can allow a malicious file to expose parts of memory that may contain sensitive data, potentially leading to information disclosure. The weakness is classified as CWE-125. The vulnerability does not provide arbitrary code execution or denial of service; it purely affects confidentiality by leaking data that may be present in the process memory.
Affected Systems
Adobe DNG SDK, versions 1.7.1.2536 and earlier, are affected. Versions newer than 1.7.1.2536 are not impacted.
Risk and Exploitability
The CVSS score of 5.5 indicates a medium severity. The EPSS score is very low (<1%), reflecting a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the victim to open a malicious DNG file, meaning user interaction is needed; the attack vector is a local file read. The risk remains moderate for environments that routinely process DNG files from untrusted sources, while systems that reject external media are less exposed.
OpenCVE Enrichment