CVE-2026-27289 Adobe CVE debrief

Who should care

Organizations using Adobe Photoshop Desktop in creative workflows, particularly those where users receive files from external clients, contractors, or public sources. Security teams responsible for endpoint protection and software update management in design, marketing, and media production environments.

Technical summary

The vulnerability is an out-of-bounds read (CWE-125) in Photoshop Desktop's file parsing logic. When processing a crafted file, the application reads beyond allocated memory boundaries. This memory safety defect can be exploited to achieve arbitrary code execution under the current user's privileges. The attack requires social engineering to convince a victim to open a malicious file. The local attack vector and user interaction requirement limit but do not eliminate the threat, particularly in environments where users routinely exchange creative assets.

Defensive priority

HIGH

Recommended defensive actions

• Update Adobe Photoshop Desktop to version 27.5 or later as specified in Adobe security bulletin APSB26-40.
• Implement application control policies to restrict execution of untrusted Photoshop files (.psd, .psb, and other supported formats).
• Train users to avoid opening Photoshop files from untrusted sources, including email attachments and unsolicited downloads.
• Consider enabling protected view or sandboxing features where available for document-opening workflows.
• Monitor for anomalous Photoshop process behavior that may indicate attempted exploitation of parsing vulnerabilities.

Evidence notes

The vulnerability affects Photoshop Desktop versions from 27.0 up to but not including 27.5, per CPE criteria in the NVD record. The CVSS vector (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates local attack vector, low attack complexity, no privileges required, user interaction required, and high impacts to confidentiality, integrity, and availability.

Official resources