CVE-2026-27289: Out-of-Bounds Read in Adobe Photoshop Desktop Enables Code Execution via Malicious File
A high-severity memory corruption flaw in Adobe Photoshop Desktop allows attackers to achieve code execution by tricking victims into opening a crafted file. CVSS score: 7.8.
# Photoshop Has a Serious Security Flaw — Here's What You Need to Know
Adobe just discovered a dangerous vulnerability in Photoshop that could let hackers take over your computer. The problem is in how Photoshop reads certain file types — it tries to access information from places in your computer's memory that it shouldn't be touching.
Think of your computer's memory like a filing cabinet. Normally, programs only open the drawers they're supposed to. This flaw is like someone reaching past their assigned drawer and grabbing files from the ones next to it. An attacker could exploit this to steal sensitive information or secretly run malicious code on your machine.
Here's the important part: you'd have to open a specially designed malicious file for this to work. The hacker can't attack you remotely just by sending you a message. They'd need to trick you into opening a fake PSD file, screenshot, or similar Photoshop document. Once you do, they could potentially install spyware, steal passwords, or lock you out of your own computer.
Professional designers and photographers are at highest risk, since they regularly open files from clients and online sources. Anyone who uses Photoshop for work should take this seriously.
Here's what you should do right now:
Update Photoshop immediately. Adobe will release a patch soon — install it as soon as it's available. Don't wait.
Be suspicious of unsolicited Photoshop files, especially from unfamiliar people. If someone you don't know sends you a PSD file, ask them about it first before opening it.
Consider using the latest version of Photoshop. If you're running an older version, update now. Hackers often target outdated software because they know vulnerabilities exist.
Want the full technical analysis? Click "Technical" above.
CVE-2026-27289 is a high-severity out-of-bounds read vulnerability affecting Adobe Photoshop Desktop. Assigned a CVSS score of 7.8 (HIGH), the flaw resides in the file parsing logic of Photoshop versions 27.4 and earlier. When processing a specially crafted image or project file, the application reads beyond the boundary of an allocated memory structure, potentially exposing sensitive memory contents and creating conditions for arbitrary code execution. While this vulnerability has not been observed exploited in the wild, its reliable exploitation potential and the ubiquity of Photoshop across creative and enterprise environments make it a significant risk that demands prompt attention.
Technical Details
The root cause of CVE-2026-27289 is an out-of-bounds read (CWE-125) introduced during the parsing of a crafted file format supported by Photoshop. When the application processes certain file structures — such as layer descriptors, embedded metadata blocks, or custom resource chunks — it fails to perform adequate bounds validation before dereferencing a pointer offset derived from attacker-controlled data.
Specifically, a length or count field embedded within the file header or sub-record can be manipulated to specify a value larger than the actual allocated buffer size. The parsing routine then calculates a read offset that extends past the end of the heap-allocated structure. This read operation can expose adjacent heap memory, which may contain pointers, function addresses, or other sensitive runtime data useful for bypassing modern exploit mitigations such as ASLR (Address Space Layout Randomization) and DEP/NX (Data Execution Prevention).
In a carefully staged exploit, the information leaked via the out-of-bounds read can serve as a memory disclosure primitive, feeding into a secondary corruption primitive to achieve reliable control flow hijacking. The resulting code execution occurs entirely within the security context of the currently logged-in user, meaning administrator-level access is not required for a successful attack.
Attack Vector and Exploitation
Exploitation of CVE-2026-27289 follows a classic social engineering delivery chain. The attack requires user interaction — specifically, a victim must be persuaded to open a malicious file using an affected version of Photoshop Desktop. Likely delivery mechanisms include:
Phishing emails containing malicious .psd, .psb, or other Photoshop-compatible file attachments
Drive-by downloads from compromised creative asset repositories or stock image sites
Trojanized project files shared via collaborative platforms, freelance marketplaces, or cloud storage services
Because Photoshop is widely trusted by its users and files of these types are routinely exchanged in professional workflows, victims are less likely to exercise caution before opening them. A double-extension or spoofed filename (e.g., project_final_v2.jpg.psd) could further lower victim suspicion. Once the file is opened, exploitation is largely automatic, requiring no further interaction beyond the initial file open event.
Affected Systems
The following software versions are confirmed vulnerable:
Adobe Photoshop Desktop27.4 and all earlier releases in the 27.x branch
The vulnerability is classified as cross-platform, affecting installations on both Windows and macOS
Organizations running Photoshop in managed enterprise environments, creative agencies, media production houses, and individual creative professionals are all within the affected population. Users who have enabled automatic updates via the Adobe Creative Cloud desktop application may already be protected if Adobe has released a patched version.
Detection and Indicators of Compromise
Because this vulnerability has not been exploited in the wild at time of publication, there are no confirmed threat actor TTPs or specific IOCs associated with active campaigns. However, defenders should monitor for the following signals:
Unexpected crashes or application hangs in Photoshop processes (Photoshop.exe / Adobe Photoshop 2026) shortly after opening externally sourced files
Anomalous child process creation spawned from the Photoshop process, particularly shells (cmd.exe, powershell.exe, bash) or network-connecting binaries
Crash dump artifacts (.dmp files) in user profile directories indicative of memory access violations during file parsing
EDR telemetry flagging heap read violations or access violations originating from Photoshop's file parsing modules
Inbound delivery of .psd or .psb files from untrusted or external senders via email gateways
Remediation
The primary and most effective remediation is to update Adobe Photoshop Desktop to the latest available version through the Adobe Creative Cloud application. Adobe has acknowledged the vulnerability and is expected to release a patched build addressing CVE-2026-27289. Until a patch is applied, organizations should consider the following mitigations:
Restrict opening of Photoshop files from untrusted sources and enforce file-type filtering at email and web gateways
Enable Protected View or sandboxing features where available in the operating environment
Apply application allowlisting to prevent unexpected child process execution from Photoshop
Ensure endpoint detection and response (EDR) solutions are deployed and current on all systems running affected software versions
CypherByte Assessment
CypherByte rates this vulnerability as high priority for patching despite the absence of confirmed in-the-wild exploitation. The combination of a CVSS 7.8 score, cross-platform impact, and a realistic, low-friction social engineering delivery path presents a meaningful risk — particularly for organizations in the media, advertising, architecture, and design sectors where Photoshop file exchange is routine and trust is implicitly assumed.
The out-of-bounds read primitive described in CVE-2026-27289 is the type of bug that experienced threat actors weaponize relatively quickly once a patch is released and the delta can be reverse-engineered. We strongly recommend patching within 72 hours of Adobe's official fix becoming available and enforcing file-source validation policies in the interim.