CVE-2026-21353

High

Published: 10 February 2026

Published

10 February 2026

Modified

13 February 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0003 9.9th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21353 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Adobe Dng Software Development Kit. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 9.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Malicious File (T1204.002). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires identification, prioritization, and timely patching of the integer overflow flaw in DNG SDK as detailed in Adobe's APSB26-23 bulletin.

SI-10 Information Input Validation partial match

prevent

Mandates validation of file inputs to prevent integer overflows from maliciously crafted DNG files processed by the vulnerable SDK.

SI-16 Memory Protection partial match

prevent

Implements memory safeguards such as ASLR and DEP to block arbitrary code execution resulting from successful integer overflow exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

Why these techniques?

Integer overflow in image SDK enables RCE when user opens crafted DNG file (direct match to malicious file user execution).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

DNG SDK versions 1.7.1 2410 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a…

victim must open a malicious file.

Deeper analysisAI

CVE-2026-21353 is an Integer Overflow or Wraparound vulnerability (CWE-190) affecting Adobe DNG SDK versions 1.7.1 2410 and earlier. The flaw could result in arbitrary code execution in the context of the current user.

Exploitation requires local access (AV:L) with low complexity (AC:L) and no privileges (PR:N), but necessitates user interaction (UI:R) in the form of opening a malicious file. A successful attack achieves high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) within the user's scope (S:U), earning a CVSS v3.1 base score of 7.8.

Adobe's security bulletin APSB26-23, available at https://helpx.adobe.com/security/products/dng-sdk/apsb26-23.html, addresses this issue with details on patches and mitigation.

Details

CWE(s): CWE-190

Affected Products

adobe

dng software development kit

≤ 1.7.2

CVEs Like This One

CVE-2026-21352Same product: Adobe Dng Software Development Kit

CVE-2026-27280Same product: Adobe Dng Software Development Kit

CVE-2025-21161Same vendor: Adobe

CVE-2025-24441Same vendor: Adobe

CVE-2025-24451Same vendor: Adobe

CVE-2025-21138Same vendor: Adobe

CVE-2026-27291Same vendor: Adobe

CVE-2026-21306Same vendor: Adobe

CVE-2025-24444Same vendor: Adobe

CVE-2025-24442Same vendor: Adobe

References

https://helpx.adobe.com/security/products/dng-sdk/apsb26-23.html
Vendor Advisory · psirt@adobe.com