New Adobe Photoshop Vulnerability Allows Arbitrary Code Execution

Adobe has launched crucial safety updates addressing three high-severity vulnerabilities (CVE-2025-30324, CVE-2025-30325, CVE-2025-30326) in Photoshop 2024 and 2025 that would allow arbitrary code execution on Home windows and macOS programs.

The issues, found by exterior researcher yjdfy by means of Adobe’s HackerOne bug bounty program, contain reminiscence corruption dangers stemming from integer manipulation and uninitialized pointer entry.

Whereas no lively exploits have been noticed, the patches launched on Could 13, 2025, mitigate assault vectors requiring person interplay by means of malicious file processing.

The vulnerabilities middle on improper reminiscence administration throughout picture file processing.

CVE-2025-30324 includes an integer underflow/wraparound error in Photoshop’s layer compositing engine, the place subtracting bigger values from smaller unsigned integers creates invalid reminiscence offsets.

This might enable attackers to craft .PSD recordsdata that set off buffer underwrite situations, corrupting adjoining reminiscence areas.

CVE-2025-30325 stems from an integer overflow within the CMYK coloration area conversion module. Specifically constructed coloration profiles exceeding 32-bit integer limits throughout pixel calculations trigger heap buffer overflows.

Each vulnerabilities scored 7.8 CVSSv3.1 scores on account of native assault vectors requiring person interplay by way of malicious file openings.

The third flaw, CVE-2025-30326, pertains to Photoshop’s dealing with of legacy TIFF metadata tags.

Failure to initialize pointer references when studying Exif knowledge from manipulated TIFF headers might dereference attacker-controlled reminiscence addresses.

Adobe’s bulletin notes all three points allow arbitrary code execution on the goal’s privilege stage, posing vital dangers given Photoshop’s frequent use with elevated permissions.

Patch Deployment and Mitigation Methods

Affected variations embody Photoshop 2025 (26.5 and earlier) and Photoshop 2024 (25.12.2 and earlier) throughout each platforms.

The updates-version 26.6 for 2025 and 25.12.3 for 2024-strengthen bounds checking in raster operations and implement pointer validation routines.

Artistic Cloud customers obtain automated updates by means of the desktop app’s background service, although directors should manually approve deployments in managed environments utilizing the Admin Console.

Enterprise deployments ought to prioritize testing the patch’s compatibility with third-party plugins, as reminiscence format modifications would possibly have an effect on legacy extensions.

Short-term mitigation for unpatched programs includes configuring Group Coverage Objects (Home windows) or Cell System Administration profiles (macOS) to limit Photoshop from opening recordsdata from untrusted sources.

Nevertheless, Adobe emphasizes that these workarounds impair performance and shouldn’t exchange everlasting patching.

Implications for Artistic Professionals

These vulnerabilities spotlight persistent challenges in securing complicated graphics software program towards file-based assaults.

Regardless of Adobe’s $250,000 most bounty for crucial flaws, the invention by a single researcher suggests potential gaps in automated code auditing for reminiscence corruption bugs.

The corporate’s PSIRT staff has expanded its fuzzing infrastructure for picture codecs since 2023, however edge circumstances in legacy format help stay problematic.

For customers, the replace underscores the significance of software program lifecycle management-organizations nonetheless utilizing Photoshop 2024 should weigh improve urgency towards potential workflow disruptions.

Safety analysts advocate sandboxing graphics software program by means of virtualization or containerization, significantly for roles involving frequent exterior file exchanges.

Adobe’s clear disclosure continues a pattern of improved vendor responsiveness, with patches launched inside 90 days of preliminary researcher reporting.

As file-based assaults more and more goal artistic industries, the incident reinforces the necessity for sector-specific risk intelligence sharing by means of platforms like CISA’s AIS community.

The updates mark Adobe’s fourth crucial Photoshop patch in 2025, reflecting each intensified safety analysis efforts and the software program’s increasing assault floor from AI-driven options.

Customers ought to validate their Artistic Cloud replace standing instantly and audit current file-processing actions for anomalies.

Whereas present mitigations cut back exploit probability, the technical complexity of reminiscence corruption flaws ensures persistent dangers requiring ongoing vigilance.

Discover this Information Fascinating! Comply with us on Google Information, LinkedIn, & X to Get On the spot Updates!