CVE-2026-21349

High

Published: 10 February 2026

Published

10 February 2026

Modified

19 February 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0004 12.9th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21349 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Adobe Lightroom. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 12.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely identification, reporting, and patching of the out-of-bounds write flaw in Lightroom Desktop as specified in Adobe Security Bulletin APSB26-06.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Enables vulnerability scanning to identify deployed instances of vulnerable Lightroom Desktop versions affected by CVE-2026-21349.

SI-5 Security Alerts, Advisories, and Directives partial match

detect

Ensures receipt and distribution of security advisories like APSB26-06 to prompt remediation of the Lightroom vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

Why these techniques?

OOB write enables arbitrary code exec via malicious file opened by user (T1204.002); directly matches client app exploitation (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Lightroom Desktop versions 15.1 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open…

a malicious file.

Deeper analysisAI

CVE-2026-21349 is an out-of-bounds write vulnerability (CWE-787) in Adobe Lightroom Desktop versions 15.1 and earlier. The flaw occurs during file processing and can result in arbitrary code execution in the context of the current user.

Exploitation requires local access and user interaction, as a victim must open a malicious file. An attacker can craft such a file to trick the user, leading to code execution with the privileges of the logged-in user. The CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) reflects high impact on confidentiality, integrity, and availability with low attack complexity.

Adobe Security Bulletin APSB26-06 provides details on the vulnerability and available patches. Practitioners should consult https://helpx.adobe.com/security/products/lightroom/apsb26-06.html for mitigation steps, including updating to a patched version of Lightroom Desktop.

Details

CWE(s): CWE-787

Affected Products

adobe

lightroom

≤ 14.5.2 · 15.0 — 15.1.1

CVEs Like This One

CVE-2026-21352Same vendor: Adobe

CVE-2025-21136Same vendor: Adobe

CVE-2025-24450Same vendor: Adobe

CVE-2026-21305Same vendor: Adobe

CVE-2026-21307Same vendor: Adobe

CVE-2025-24445Same vendor: Adobe

CVE-2026-21334Same vendor: Adobe

CVE-2026-21298Same vendor: Adobe

CVE-2026-27280Same vendor: Adobe

CVE-2026-21299Same vendor: Adobe

References

https://helpx.adobe.com/security/products/lightroom/apsb26-06.html
Vendor Advisory · psirt@adobe.com