{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21354", "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", "state": "PUBLISHED", "assignerShortName": "adobe", "dateReserved": "2025-12-12T22:01:18.205Z", "datePublished": "2026-02-10T18:32:03.209Z", "dateUpdated": "2026-03-10T18:17:32.769Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "DNG SDK", "vendor": "Adobe", "versions": [{"lessThanOrEqual": "1.7.1 2410", "status": "affected", "version": "0", "versionType": "semver"}]}], "datePublic": "2026-02-10T17:00:00.000Z", "descriptions": [{"lang": "en", "value": "DNG SDK versions 1.7.1 2410 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to cause the application to crash or become unresponsive. Exploitation of this issue requires user interaction in that a victim must open a malicious file."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "environmentalScore": 5.5, "environmentalSeverity": "MEDIUM", "exploitCodeMaturity": "NOT_DEFINED", "integrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "LOW", "modifiedAttackVector": "LOCAL", "modifiedAvailabilityImpact": "HIGH", "modifiedConfidentialityImpact": "NONE", "modifiedIntegrityImpact": "NONE", "modifiedPrivilegesRequired": "NONE", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "REQUIRED", "privilegesRequired": "NONE", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "scope": "UNCHANGED", "temporalScore": 5.5, "temporalSeverity": "MEDIUM", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-190", "description": "Integer Overflow or Wraparound (CWE-190)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "078d4453-3bcd-4900-85e6-15281da43538", "shortName": "adobe", "dateUpdated": "2026-03-10T18:17:32.769Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://helpx.adobe.com/security/products/dng-sdk/apsb26-23.html"}], "source": {"discovery": "EXTERNAL"}, "title": "DNG SDK | Integer Overflow or Wraparound (CWE-190)"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-10T18:59:08.526271Z", "id": "CVE-2026-21354", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T19:10:52.325Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21354", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-10T18:59:08.526271Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T19:10:49.857Z"}}], "cna": {"title": "DNG SDK | Integer Overflow or Wraparound (CWE-190)", "source": {"discovery": "EXTERNAL"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modifiedScope": "UNCHANGED", "temporalScore": 5.5, "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "temporalSeverity": "MEDIUM", "availabilityImpact": "HIGH", "environmentalScore": 5.5, "privilegesRequired": "NONE", "exploitCodeMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "LOCAL", "confidentialityImpact": "NONE", "environmentalSeverity": "MEDIUM", "availabilityRequirement": "NOT_DEFINED", "modifiedIntegrityImpact": "NONE", "modifiedUserInteraction": "REQUIRED", "modifiedAttackComplexity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAvailabilityImpact": "HIGH", "modifiedPrivilegesRequired": "NONE", "modifiedConfidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Adobe", "product": "DNG SDK", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.7.1 2410"}], "defaultStatus": "affected"}], "datePublic": "2026-02-10T17:00:00.000Z", "references": [{"url": "https://helpx.adobe.com/security/products/dng-sdk/apsb26-23.html", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "DNG SDK versions 1.7.1 2410 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to cause the application to crash or become unresponsive. Exploitation of this issue requires user interaction in that a victim must open a malicious file."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-190", "description": "Integer Overflow or Wraparound (CWE-190)"}]}], "providerMetadata": {"orgId": "078d4453-3bcd-4900-85e6-15281da43538", "shortName": "adobe", "dateUpdated": "2026-03-10T18:17:32.769Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21354", "state": "PUBLISHED", "dateUpdated": "2026-03-10T18:17:32.769Z", "dateReserved": "2025-12-12T22:01:18.205Z", "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", "datePublished": "2026-02-10T18:32:03.209Z", "assignerShortName": "adobe"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:adobe:dng_software_development_kit:*:*:*:*:*:*:*:*", "matchCriteriaId": "39CD12E3-C567-4F3D-A37A-B73D3B4DCFCD", "versionEndExcluding": "1.7.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "DNG SDK versions 1.7.1 2410 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to cause the application to crash or become unresponsive. Exploitation of this issue requires user interaction in that a victim must open a malicious file."}], "id": "CVE-2026-21354", "lastModified": "2026-02-13T20:37:36.883", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "psirt@adobe.com", "type": "Primary"}]}, "published": "2026-02-10T19:15:59.140", "references": [{"source": "psirt@adobe.com", "tags": ["Vendor Advisory"], "url": "https://helpx.adobe.com/security/products/dng-sdk/apsb26-23.html"}], "sourceIdentifier": "psirt@adobe.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "psirt@adobe.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.7.1 2410]"}}], "product": "dng_sdk", "vendor": "adobe"}], "analysis": {"en": {"generated_at": "2026-04-16T17:17:12.810304+00:00", "value": {"mitigation_remediation": ["Upgrade Adobe DNG SDK to the latest release that supersedes version 1.7.1 2410", "Refuse to open or automatically reject any unknown or suspicious DNG files", "Run DNG processing within a sandboxed or read\u2011only environment to contain any crashes"], "summary": {"action": "Apply Patch", "impact": "Denial of Service in Adobe DNG SDK through integer overflow"}, "threat_synthesis": {"affected_systems": "Adobe DNG SDK, specifically releases up to and including version 1.7.1 2410. All installations of the SDK that have not been updated beyond this point are susceptible.", "description_and_impact": "Adobe DNG SDK versions 1.7.1 2410 and earlier suffer from an integer overflow or wraparound condition that can cause the application to crash or become unresponsive. The flaw does not provide a path to gain code execution or disclose data; its primary consequence is service disruption to the user who opens a crafted file. The vulnerability is catalogued as CWE-190 and is evaluated as a moderate severity threat.", "risk_and_exploitability": "The CVSS base score is 5.5, indicating a medium impact on availability. The EPSS score is below 1\u202f%, suggesting a low probability of exploitation at the present moment. The vulnerability is not currently listed in the CISA KEV catalog. Exploitation requires a local attacker to supply a malicious DNG file that the user must open, implying that user awareness and safe file handling practices can further reduce the risk. The attack vector is infrequent and not automated."}}}}, "created": "2026-02-10T21:33:24.132326+00:00", "updated": "2026-04-16T17:30:25.996861+00:00", "vendors": ["adobe", "adobe$PRODUCT$dng_sdk"]}