Adobe Photoshop is a widely-used graphic editing tool for creating, editing, and manipulating images. As a popular software application, it is essential to keep it up-to-date with the latest security patches. Recent discoveries have raised concerns about a vulnerability found in Adobe Photoshop versions 23.5.5 (and earlier) and 24.7 (and earlier), which could result in arbitrary code execution in the context of the current user. This potential exploit requires user interaction, and a victim must open a malicious file to trigger the vulnerability. This blog post will cover the details of CVE-2023-26370, including the exploit details, code snippets, and links to original references.

Vulnerability Details

The vulnerability, labeled as CVE-2023-26370, exposes an Access of Uninitialized Pointer issue in certain versions of Adobe Photoshop. This means that a defective Photoshop file, when opened, could force the application to access memory locations that have not been properly initialized, potentially causing arbitrary code to run in the context of the current user. Since such code could have malicious intent, there is a high risk for the user's data security and system integrity.

Exploit Details

To exploit this vulnerability, an attacker would create a malicious Photoshop file crafted specifically to trigger the uninitialized pointer access. The attacker would then need to convince their target to open this file in a vulnerable version of Adobe Photoshop. Once the target user opens the malicious file, the arbitrary code embedded within it could execute, causing potential harm to the user's system or data.

A simplified example of how a malicious file could trigger this vulnerability follows

// Malformed Photoshop file example
header {
    magic = '8BPS'; // Photoshop signature
    version = 1; // Photoshop file version
    num_channels = 3; // Number of channels (R, G, B)
    height = 256; // Image height
    width = 256; // Image width
    depth = 8; // Channel depth (bits)

// Trigger uninitialized pointer access
invalid_data {
    // Intentionally corrupt data that triggers vulnerability

This example illustrates what a malformed Photoshop file could look like, containing elements that would cause Adobe Photoshop to incorrectly access memory, leading to potential arbitrary code execution.

Original References

Adobe's official Security Bulletin (APSB23-27):
CVE-2023-26370 Entry in NIST's National Vulnerability Database:

Mitigation Steps

To protect yourself from potential exploitation of this vulnerability, it is crucial to update your Adobe Photoshop application to the latest version, which contains the necessary security patches. You can do this via the Adobe Creative Cloud app or by visiting Adobe's official website. Additionally, exercise caution when opening Photoshop files received from unknown sources or untrusted people. Always scan files with a trustworthy antivirus software before accessing them.


As with any software, Adobe Photoshop is subject to occasional security flaws and vulnerabilities. It is of the utmost importance to stay informed about potential risks and protect yourself by keeping your applications up-to-date and following best practices for safe computing. Be vigilant in examining the source of files you receive and take due care in opening them. By familiarizing yourself with the details of CVE-2023-26370 and acting on the provided mitigation steps, you'll be better prepared to safeguard your system and data from potential threats.


Published on: 10/11/2023 12:15:00 UTC
Last modified on: 10/14/2023 01:55:00 UTC