CVE-2025-21122

High

Published: 14 January 2025

Published

14 January 2025

Modified

11 February 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0015 34.9th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Photoshop Desktop versions 25.12, 26.1 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security Summary

CVE-2025-21122 is an Integer Underflow (Wrap or Wraparound) vulnerability, classified as CWE-191, affecting Adobe Photoshop Desktop versions 25.12, 26.1, and earlier. Published on 2025-01-14, this issue resides in the desktop application and could lead to arbitrary code execution in the context of the current user. The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

The attack requires local access with low attack complexity and no privileges, but user interaction is mandatory, specifically opening a malicious file. An attacker could exploit this by tricking a victim into processing a specially crafted file, such as via email attachments or shared documents. Successful exploitation enables arbitrary code execution with high impacts on confidentiality, integrity, and availability, running in the privileges of the logged-in user.

Adobe's security bulletin APSB25-02, detailed at https://helpx.adobe.com/security/products/photoshop/apsb25-02.html, addresses the vulnerability and outlines mitigations or patches for affected versions.

Details

CWE(s): CWE-191

Affected Products

adobe

photoshop

25.0 — 25.12.1 · 26.0 — 26.2

References

https://helpx.adobe.com/security/products/photoshop/apsb25-02.html
Vendor Advisory · psirt@adobe.com