CVE-2026-47964: DNG SDK | Heap-based Buffer Overflow (CWE-122)
DNG SDK versions 1.7.1 2536 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Metrics
- CVSS v3.1
- 7.8
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A heap-based buffer overflow affects Adobe DNG SDK versions 1.7.1 2536 and earlier. The vulnerability is reached locally and requires no authentication, but a victim must open a malicious file for exploitation to succeed. Successful exploitation gives an attacker arbitrary code execution running as the current user, enabling full read, write, and control of whatever that process can access. No fix version has been published yet; HarborGuard tracks the advisory for patch availability.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle the DNG SDK library. Any image containing an affected version of DNG SDK at or below 1.7.1 2536 is flagged automatically.
AvailableHarborGuard is capable of scoring this CVE at CVSS 7.8 HIGH and weighting that score against each customer environment's compliance policy to determine urgency. Triage alerts can be routed to the appropriate team inbox within each customer organization based on policy configuration.
AvailableBecause no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Adobe ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.
Pending upstreamExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network exposure is required.
- AuthenticationNot required
No account or credentials are needed to deliver the malicious file to a victim.
- Victim interactionRequired
A victim must open a specially crafted file, making social engineering or malicious file delivery a necessary part of the attack chain.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions or environmental factors beyond convincing the victim to open the file.
Blast Radius
- The attacker executes arbitrary code in the context of the user who opened the malicious file.
- All files, secrets, and credentials readable by that user process are exposed.
- Any data writable by that user process can be modified or deleted, including application data and configuration files.
- The affected process can be crashed or hijacked, disrupting any service or workflow running under that user account.
How HarborGuard Handles This
Available on HarborGuard: detection for this CVE is active across all connected registries and build pipelines, flagging any image that packages DNG SDK 1.7.1 2536 or earlier. Because Adobe has not yet published a fix, no patched-image rebuild is available at this time. HarborGuard monitors the upstream advisory on every ingest cycle and will automatically make a rebuild available the moment a remediated version is released; for customers with auto-remediation enabled, that rebuild will be accompanied by a regression-test run and a PR opened against affected workloads. In the interim, compensating controls worth considering include restricting execution environments so that untrusted files cannot be opened by processes that use the DNG SDK, applying egress filtering to limit what an exploited process can reach, and using feature-flag or build-time gating to exclude the DNG SDK from images where it is not strictly required.
- Adobe / DNG SDK≤ 1.7.1 2536
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H