On March 10, 2026, Adobe published security bulletin APSB26-30, addressing two vulnerabilities in the Adobe DNG Software Development Kit (SDK) for Windows and macOS. The update was part of Adobe's March 2026 Patch Tuesday release, which resolved 80 vulnerabilities across eight products in total. For the DNG SDK specifically, the patch brings the affected build from DNG SDK 1.7.1 build 2471 to the updated DNG SDK 1.7.1 build 2502. What makes this release notable is not just the vulnerabilities themselves — it is the pattern they reveal. This is the third DNG SDK security bulletin published in roughly four months, and both new CVEs were discovered by the same two researchers who found the bulk of the previous ones.
What Is the Adobe DNG Software Development Kit?
Before getting into the vulnerabilities, it is worth being precise about what the DNG SDK actually is, because it occupies a different space than most software people interact with directly.
Digital Negative (DNG) is a publicly available, open archival format for raw image files generated by digital cameras. Adobe launched the DNG specification on September 27, 2004, with the explicit goal of addressing a problem that had long frustrated photographers and developers: the proliferation of proprietary, undocumented raw formats tied to specific camera manufacturers. Canon, Nikon, Sony, Olympus — each used its own format, and software had to be continuously updated to support them. DNG was designed to be a universal alternative, built on the TIFF 6.0 standard, that any vendor could implement without reverse-engineering or licensing obstacles.
"Raw file formats are popular in digital photography workflows because they offer greater creative control. However, cameras can use many different raw formats, the specifications for which are not publicly available." — Adobe, Digital Negative specification page
The US Library of Congress has recommended DNG as an archival alternative to proprietary raw formats. The Digital Photography Best Practices and Workflow project, funded by the Library of Congress and run by the American Society of Media Photographers, noted that DNG files proved significantly more useful than proprietary raw files in archival workflows. Hundreds of software manufacturers — including Apple and Google — and camera makers such as Leica, Pentax, Ricoh, Samsung, and Casio have built native DNG support into their products.
The DNG SDK is the developer-facing side of this ecosystem. It is a free, downloadable toolkit that gives third-party software developers the library code they need to read, write, and process DNG files inside their own applications. Camera manufacturers use it to build DNG output into firmware. Photo editing applications use it to open and convert DNG images. Because the SDK is embedded at a low level inside many different products — not just Adobe's own software — a vulnerability in the SDK itself has a surface area that extends well beyond anything Adobe ships directly.
The Vulnerabilities in APSB26-30
The March 10 bulletin resolves two CVEs. Both carry CVSS 3.1 base scores, both require local access with no prior privileges, and both require some form of user interaction — meaning a user would need to open or process a specially crafted DNG file to trigger exploitation. Adobe stated in the bulletin that it is not aware of any exploits in the wild for either issue at the time of release.
| CVE | Type | CWE | Impact | Severity | CVSS Score |
|---|---|---|---|---|---|
| CVE-2026-27280 | Out-of-bounds Write | CWE-787 | Arbitrary Code Execution | Critical | 7.8 |
| CVE-2026-27281 | Integer Overflow or Wraparound | CWE-190 | Application Denial-of-Service | Important | 5.5 |
Both vulnerabilities were discovered and reported to Adobe by Brendon Tiszka and Mateusz Jurczyk of Google Project Zero.
CVE-2026-27280 — Out-of-bounds Write (CWE-787)
This is the more severe of the two bugs. An out-of-bounds write vulnerability occurs when a program writes data to a memory location outside the allocated buffer — either before its start or past its end. In the context of a file-parsing library like the DNG SDK, this class of vulnerability typically arises during the processing of image data: a malformed file supplies values that cause the library to calculate an incorrect offset or size, leading it to write into adjacent memory it does not own.
The practical consequence of a successful out-of-bounds write is often arbitrary code execution. An attacker who controls what gets written to that unintended memory location can potentially overwrite function pointers, return addresses, or heap metadata in ways that redirect execution flow. Adobe has assigned this bug a CVSS base score of 7.8, using the vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The high scores across confidentiality, integrity, and availability reflect the full impact that successful exploitation could produce.
CVE-2026-27281 — Integer Overflow or Wraparound (CWE-190)
The second bug is an integer overflow, which occurs when an arithmetic operation produces a value that exceeds the maximum representable in the allocated integer type, causing the value to wrap around to a much smaller number. In image parsing code, integer overflows frequently appear in size calculations — for instance, when multiplying image width by height to determine a buffer allocation size. If the result wraps, the allocated buffer is far too small for the data that will be written into it.
In this case, Adobe has classified the impact as application denial-of-service rather than code execution, giving it a CVSS score of 5.5 with the vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The availability impact is high while confidentiality and integrity impacts are rated none, suggesting the overflow can be triggered to crash the application but not to redirect execution in a reliably exploitable manner.
Adobe's Priority 3 rating for this bulletin means the company considers the DNG SDK less likely to be targeted by threat actors compared to higher-priority products such as ColdFusion or Acrobat Reader. A Priority 3 designation is Adobe's lowest tier, indicating that while patching is still recommended, there is no immediate urgency tied to observed exploitation activity. All affected DNG SDK versions are covered by a single solution: updating to DNG SDK 1.7.1 build 2502.
A Pattern of DNG SDK Findings from Google Project Zero
What places APSB26-30 in a broader context is the researchers behind it. Brendon Tiszka and Mateusz Jurczyk are both members of Google Project Zero, the security research team formed by Google in 2014 to find zero-day vulnerabilities in widely used software and hardware. Their involvement in three consecutive DNG SDK patches within four months reflects a sustained research focus on how the SDK parses image data — not a series of isolated discoveries.
Looking back at the full sequence of bulletins:
- In December 2025 (bulletin APSB25-118, published December 9, 2025), Adobe patched four DNG SDK vulnerabilities — CVE-2025-64783, CVE-2025-64784, CVE-2025-64893, and CVE-2025-64894. Tiszka reported CVE-2025-64783 independently; Tiszka and Jurczyk jointly reported the remaining three. The bugs included a critical integer overflow enabling arbitrary code execution (7.8), two critical heap-based buffer overflow and out-of-bounds read issues enabling memory exposure (both 7.1), and an important integer overflow causing denial-of-service (5.5). That update brought the SDK from version 1.7.0 to DNG SDK 1.7.1 build 2410.
- In February 2026 (bulletin APSB26-23, published February 10, 2026), Adobe patched four more DNG SDK vulnerabilities — CVE-2026-21352, CVE-2026-21353, CVE-2026-21354, and CVE-2026-21355. Tiszka and Jurczyk reported the first three; a researcher identified only as "Ruikai" reported the fourth. Two of the bugs were critical (out-of-bounds write and integer overflow both enabling code execution, both 7.8), one was an important integer overflow causing denial-of-service (5.5), and one was an important out-of-bounds read enabling memory exposure (5.5). That update moved the SDK from build 2410 to build 2471.
- In March 2026 (APSB26-30, published March 10, 2026), the current bulletin, Tiszka and Jurczyk reported both CVEs. The SDK moves from build 2471 to build 2502.
Across these three bulletins, the Google Project Zero pair has been credited with reporting nine of the ten total DNG SDK CVEs patched since December 2025. The vulnerability types repeat in recognizable ways: integer overflows and out-of-bounds reads and writes are consistently present, which is characteristic of a structured fuzzing campaign or code audit targeting the image-parsing logic in the SDK's raw data processing pipeline.
"Project Zero is a team of security analysts employed by Google tasked with finding zero-day vulnerabilities." — Wikipedia, Project Zero
Mateusz Jurczyk, who operates under the handle j00ru and has worked at Google Project Zero since at least 2014, has a long public record of image format vulnerability research. He published work on DNG-related attack surfaces as early as 2020 in the context of Samsung's Quram image-processing library. In December 2025, Project Zero published a full technical writeup documenting how a DNG file was used as an exploit vehicle in an in-the-wild Android attack targeting that same Quram library — a separate codebase from the Adobe DNG SDK, but one that implements the same DNG specification. The writeup described how corrupting pixel buffer bounds through a single shallow bug was sufficient to enable access to all images and videos in an Android device's media store, providing the research community with a concrete demonstration of the real-world damage potential of DNG parsing vulnerabilities.
That December 2025 Project Zero post was specific to Samsung's proprietary implementation, not Adobe's SDK. But it reinforces why continued research scrutiny of DNG parsers in general — including Adobe's — is warranted. The DNG specification is complex; it includes opcodes, tile-based image structures, and support for many encoding types. Any implementation that parses that specification from untrusted input is a meaningful attack surface.
Why the DNG SDK Is a High-Value Research Target
The DNG SDK's role as embedded infrastructure makes it an interesting target from a security research perspective. Unlike a consumer application that a user downloads and runs, the SDK is a library — its code runs inside other people's code. A vulnerability in the SDK affects every application that ships the vulnerable version of the library. Camera firmware, digital asset management tools, photo editing suites, mobile apps that process raw image uploads — all are potentially in scope.
The DNG format itself also creates inherent parsing complexity. A DNG file is an extension of TIFF 6.0, meaning it uses a tag-based structure that supports a large number of data types, embedded previews, opcodes that describe additional processing steps, and raw sensor data that can be encoded in various tile and strip configurations. The SDK must handle all of this, including malformed inputs that violate the specification in ways that real-world DNG converters could still produce. That complexity, combined with the SDK's wide deployment, makes it a natural target for researchers looking for broadly impactful vulnerabilities.
There is also a specific concern about how DNG files reach parser code in practice. Unlike a document or spreadsheet, an image file feels low-risk to many users and security teams. Photographers open raw files from unfamiliar sources regularly. Automated pipelines ingest image uploads without human review. A crafted DNG file sent through an image-sharing platform, embedded in a photo management workflow, or delivered to a device's media store could reach parser code without any of the scrutiny that a suspicious executable or document would receive.
The December 2025 Google Project Zero writeup on the Samsung DNG exploit made this point concretely. The researchers noted that while the exploit required a user to click the image to trigger the download in the described WhatsApp scenario, the underlying attack surface — the image parsing library — was reached through a code path that did not require the user to do anything beyond possessing a device that handled DNG files. A different delivery mechanism, or a library configured to process images automatically, could have made the interaction requirement irrelevant.
Affected Versions and How to Update
The affected version is any DNG SDK 1.7.1 build 2471 or earlier. This includes DNG SDK 1.7.0 (the version current before December 2025), build 2410 (the version current after December 2025's patch), and build 2471 (the version current after February 2026's patch). The solution in all cases is to update to DNG SDK 1.7.1 build 2502, which Adobe made available through the official DNG tech note page on March 10, 2026.
For end users of Adobe consumer software such as Lightroom and Camera Raw, Adobe's own products incorporate the DNG SDK internally, and those products receive their own updates through the Creative Cloud update mechanism. Users of those products do not interact with the SDK directly and should keep their Adobe software updated through the standard Creative Cloud Desktop application update flow.
For software developers and organizations that ship or embed the DNG SDK in their own products, the update path requires obtaining build 2502 from Adobe's tech note page and integrating it into their own build and release pipelines. This is a distinction that matters operationally: end-user Adobe products and third-party products that embed the SDK are on separate update timelines. A vulnerability patched in the SDK on March 10 may remain present in a third-party application that has not yet pulled in the updated library.
If your product embeds or ships the Adobe DNG SDK, you are responsible for distributing the updated build 2502 to your users. Adobe's patch does not automatically propagate to third-party applications. Software vendors should check which SDK build their current release ships and initiate an update cycle if it is DNG SDK 1.7.1 build 2471 or earlier.
Key Takeaways
- Update to DNG SDK 1.7.1 build 2502: Any version at or before build 2471 is affected. The update is available now from Adobe's DNG tech note page. Adobe has assigned a Priority 3 rating, meaning no active exploitation is known, but the critical-severity CVE-2026-27280 carries sufficient impact to warrant prompt action.
- Third-party vendors must push their own updates: The DNG SDK is embedded in many products outside of Adobe's own ecosystem. Camera firmware developers, photo management software vendors, and anyone else who ships the DNG SDK as a dependency must assess their current build version and issue their own update to deliver build 2502 to their users.
- Ongoing research scrutiny of DNG parsing continues: Ten DNG SDK CVEs have been patched in the past four months, nine of them discovered by the same two Google Project Zero researchers. This is a sustained research focus, not a coincidence. Organizations that rely on DNG SDK-based software should treat their dependency management for this library with the same seriousness they would apply to any actively researched component.
- Image files are a real attack vector: The broader DNG research context — including the December 2025 in-the-wild exploit documented by Project Zero — demonstrates that image parsing vulnerabilities can be weaponized in real attacks. The intuition that image files are safe is not a reliable security posture for systems that parse raw image formats from untrusted sources.
Adobe's full security bulletin for APSB26-30 is available at helpx.adobe.com/security/products/dng-sdk/apsb26-30.html. The updated DNG SDK 1.7.1 build 2502 is available through Adobe's Digital Negative tech note page. For general security inquiries to Adobe, the company's security team can be reached at PSIRT@adobe.com.
Sources: Adobe Security Bulletin APSB26-30 (March 10, 2026) — Adobe Security Bulletin APSB26-23 (February 10, 2026) — Adobe Security Bulletin APSB25-118 (December 9, 2025) — Zero Day Initiative, March 2026 Security Update Review — Qualys Threat Research, March 2026 Patch Tuesday — SecurityWeek, "Adobe Patches 80 Vulnerabilities Across Eight Products" — Google Project Zero, "A Look at an Android ITW DNG Exploit" (December 2025) — Adobe, Digital Negative (DNG) tech note page — Mateusz Jurczyk, j00ru//vx tech blog