{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21349", "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", "state": "PUBLISHED", "assignerShortName": "adobe", "dateReserved": "2025-12-12T22:01:18.204Z", "datePublished": "2026-02-10T19:43:23.584Z", "dateUpdated": "2026-02-26T14:44:28.867Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "Lightroom Desktop", "vendor": "Adobe", "versions": [{"lessThanOrEqual": "15.1", "status": "affected", "version": "0", "versionType": "semver"}]}], "datePublic": "2026-02-10T17:00:00.000Z", "descriptions": [{"lang": "en", "value": "Lightroom Desktop versions 15.1 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "environmentalScore": 7.8, "environmentalSeverity": "HIGH", "exploitCodeMaturity": "NOT_DEFINED", "integrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "LOW", "modifiedAttackVector": "LOCAL", "modifiedAvailabilityImpact": "HIGH", "modifiedConfidentialityImpact": "HIGH", "modifiedIntegrityImpact": "HIGH", "modifiedPrivilegesRequired": "NONE", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "REQUIRED", "privilegesRequired": "NONE", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "scope": "UNCHANGED", "temporalScore": 7.8, "temporalSeverity": "HIGH", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-787", "description": "Out-of-bounds Write (CWE-787)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "078d4453-3bcd-4900-85e6-15281da43538", "shortName": "adobe", "dateUpdated": "2026-02-10T19:43:23.584Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://helpx.adobe.com/security/products/lightroom/apsb26-06.html"}], "source": {"discovery": "EXTERNAL"}, "title": "Lightroom Desktop | Out-of-bounds Write (CWE-787)"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21349", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-11T04:56:48.677713Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:44:28.867Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21349", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-11T04:56:48.677713Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T20:07:40.845Z"}}], "cna": {"title": "Lightroom Desktop | Out-of-bounds Write (CWE-787)", "source": {"discovery": "EXTERNAL"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "modifiedScope": "UNCHANGED", "temporalScore": 7.8, "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "temporalSeverity": "HIGH", "availabilityImpact": "HIGH", "environmentalScore": 7.8, "privilegesRequired": "NONE", "exploitCodeMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "LOCAL", "confidentialityImpact": "HIGH", "environmentalSeverity": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedIntegrityImpact": "HIGH", "modifiedUserInteraction": "REQUIRED", "modifiedAttackComplexity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAvailabilityImpact": "HIGH", "modifiedPrivilegesRequired": "NONE", "modifiedConfidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Adobe", "product": "Lightroom Desktop", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "15.1"}], "defaultStatus": "affected"}], "datePublic": "2026-02-10T17:00:00.000Z", "references": [{"url": "https://helpx.adobe.com/security/products/lightroom/apsb26-06.html", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "Lightroom Desktop versions 15.1 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "Out-of-bounds Write (CWE-787)"}]}], "providerMetadata": {"orgId": "078d4453-3bcd-4900-85e6-15281da43538", "shortName": "adobe", "dateUpdated": "2026-02-10T19:43:23.584Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21349", "state": "PUBLISHED", "dateUpdated": "2026-02-26T14:44:28.867Z", "dateReserved": "2025-12-12T22:01:18.204Z", "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", "datePublished": "2026-02-10T19:43:23.584Z", "assignerShortName": "adobe"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:adobe:lightroom:*:*:*:*:classic:*:*:*", "matchCriteriaId": "BEB7B149-A436-4FC2-BC36-F1A9C1C89104", "versionEndExcluding": "14.5.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:lightroom:*:*:*:*:classic:*:*:*", "matchCriteriaId": "42A062EF-18A6-477A-BC96-63F9A1E6166F", "versionEndExcluding": "15.1.1", "versionStartIncluding": "15.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Lightroom Desktop versions 15.1 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file."}], "id": "CVE-2026-21349", "lastModified": "2026-02-19T17:50:30.293", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "psirt@adobe.com", "type": "Primary"}]}, "published": "2026-02-10T20:16:55.590", "references": [{"source": "psirt@adobe.com", "tags": ["Vendor Advisory"], "url": "https://helpx.adobe.com/security/products/lightroom/apsb26-06.html"}], "sourceIdentifier": "psirt@adobe.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "psirt@adobe.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,15.1]"}}], "product": "lightroom_desktop", "vendor": "adobe"}], "analysis": {"en": {"generated_at": "2026-04-18T12:43:55.307557+00:00", "value": {"mitigation_remediation": ["Upgrade Adobe Lightroom Desktop to the latest available version (15.2 or newer) to remove the out\u2011of\u2011bounds write flaw.", "If an upgrade is not immediately possible, avoid opening unknown or suspicious Lightroom catalog or sidecar files and enforce a strict file\u2011opening policy for users.", "Apply current antivirus signatures and real\u2011time protection to detect and block known malicious Lightroom file patterns and monitor for abnormal memory\u2011write activity."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary Code Execution"}, "threat_synthesis": {"affected_systems": "Adobe Lightroom Desktop (classic) 15.1 and earlier are impacted. The vulnerability applies to all operating systems supported by the desktop application where the affected version is installed.", "description_and_impact": "Lightroom Desktop versions 15.1 and earlier contain an out-of-bounds write that allows an attacker to overwrite memory and execute arbitrary code within the context of the user who opens a crafted file. The vulnerability is a classic buffer overflow (CWE\u2011787) and can lead to a full compromise of the affected system if exploited successfully.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 7.8, reflecting high impact but medium severity. EPSS is below 1%, indicating a low probability of real-world exploitation at current time, and the issue is not listed in the CISA KEV catalog. Exploitation requires user interaction; an attacker must deliver a malicious file and convince a user to open it. Once executed, the attacker can gain arbitrary code execution privileges matching the user\u2019s account level."}}}}, "created": "2026-02-10T21:33:19.085998+00:00", "updated": "2026-04-18T12:45:45.676680+00:00", "vendors": ["adobe", "adobe$PRODUCT$lightroom_desktop"]}