Cyber Resilience

CVE-2022-23203

High

Published: 16 February 2022

Published
16 February 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.1865 95.4th percentile
Risk Priority 27 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-23203 is a high-severity Classic Buffer Overflow (CWE-120) vulnerability in Adobe Photoshop. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 4.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Adobe Photoshop versions 22.5.4 and earlier as well as 23.1 and earlier contain a buffer overflow vulnerability stemming from insecure handling of a crafted file. The flaw is tracked as CWE-120 and carries a CVSS 3.1 score of 7.8, reflecting the potential for arbitrary code execution in the context of the current user when the malformed file is processed.

An attacker can exploit the issue by supplying a specially crafted file that a victim must open in Photoshop. Successful exploitation grants code execution privileges equivalent to those of the user running the application, but the attack requires user interaction and cannot be triggered remotely without that step.

The official Adobe security bulletin APSB22-08 addresses the vulnerability and provides remediation guidance, including updated Photoshop builds that resolve the buffer overflow.

The associated EPSS score has remained flat at 0.1865 with no material increase after disclosure.

EU & UK References

Vulnerability details

Adobe Photoshop versions 22.5.4 (and earlier) and 23.1 (and earlier) are affected by a buffer overflow vulnerability due to insecure handling of a crafted file, potentially resulting in arbitrary code execution in the context of the current user. Exploitation requires…

more

user interaction in that a victim must open a crafted file in Photoshop.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
photoshop
≤ 22.5.4 · 23.0 — 23.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-120

Platform-independent managed code eliminates the need for unchecked native buffer copies that are the root cause of classic buffer overflows.

References