Opening One Wrong Image File Could Hand Hackers Full Control of Your Computer — Photoshop Users Need to Update Now

If you use Adobe Photoshop — for work, for freelance, for anything — a single image file sent by the wrong person could silently hand an attacker complete control of your computer.

What's happening

Adobe has disclosed a high-severity vulnerability tracked as CVE-2026-27289 affecting Photoshop Desktop version 27.4 and all earlier releases on both Windows and macOS. The flaw carries a CVSS score of 7.8 out of 10, placing it firmly in "drop everything and patch" territory. The vulnerability allows an attacker to run their own malicious code on your machine — at your permission level, with access to everything you can access — simply by getting you to open a specially crafted file. That file could look like a perfectly normal PSD, TIFF, or other image format. There would be no warning. No obvious sign anything had gone wrong. According to Adobe, no active exploitation has been confirmed in the wild yet, but the window between disclosure and weaponization historically closes fast.

How the attack works

Imagine Photoshop as a very meticulous librarian. Every time you open an image file, it goes through a careful process of reading the file's contents and placing different pieces of information into specifically sized shelves in memory — one shelf for color data, one for layer information, one for metadata. This vulnerability exists in the file parsing stage of that process. An attacker can craft a malicious file that lies about how large its contents are. When Photoshop trusts that lie and starts reading, it keeps going past the edge of the shelf it allocated — reaching into memory that was never meant to be touched. That's the "out-of-bounds read."

Here's where it turns dangerous: that adjacent memory isn't empty. It contains other program data — and by carefully engineering which data gets read and how the program reacts, an attacker can manipulate Photoshop into executing arbitrary instructions. Think of it like a con artist who hands a bank teller a form that says "pay bearer $100" but the fine print, written in invisible ink that only the machine reads, says "also wire everything in the vault." The delivery mechanism is almost insultingly simple: a phishing email with an attachment, a file shared over a studio's Slack channel, a stock asset downloaded from a compromised website. Designers routinely open files from clients, collaborators, and strangers. That workflow is the attack surface.

The technical reality

The vulnerability is classified as an out-of-bounds read (CWE-125) triggered during file parsing in Photoshop Desktop's image processing pipeline. Critically, while an out-of-bounds read is often dismissed as merely an information-disclosure issue, Adobe's own advisory confirms this instance is exploitable for code execution — meaning the read primitive is chained into a write condition sufficient to redirect control flow. The CVSS 7.8 HIGH score reflects the local/user-interaction vector (an attacker can't hit you over the network without you opening the file), but the impact metrics for confidentiality, integrity, and availability are all rated HIGH. This is a memory corruption primitive in a widely deployed, highly privileged creative application — exactly the profile that exploit brokers and initial-access crews find valuable. Researchers with detection pipelines should watch for anomalous child processes spawned from Photoshop.exe or Adobe Photoshop on macOS following file-open events.

Who is at risk

Any individual or organization running Adobe Photoshop Desktop version 27.4 or earlier on Windows or macOS is affected. This isn't a niche enterprise tool — Photoshop has tens of millions of active users globally, spanning freelance designers, marketing agencies, game studios, news organizations, film and TV production houses, and medical imaging departments that have adopted creative workflows. The attack requires user interaction, which means corporate environments where employees routinely receive design files from external clients are at elevated risk. Photoshop on iPad is not affected by this specific CVE.

What you should do right now

1. Update Photoshop immediately to version 27.5 or later. Open the Creative Cloud desktop application, navigate to the Apps tab, and install any available update for Photoshop. If you manage a fleet, push the update via the Adobe Admin Console using the Creative Cloud Packager. Do not wait for your next scheduled maintenance window — treat this as urgent.
2. Suspend opening unsolicited or unexpected Photoshop files until patched. If you haven't updated yet, do not open PSD, PSB, TIFF, or other image files received from external sources via email, messaging apps, or file-sharing services. Ask senders to verify files through a second channel before you open anything. This is not paranoia — it's basic hygiene when a file-open is all that's required for full compromise.
3. Check your version right now: In Photoshop, go to Help → About Photoshop (Windows) or Photoshop → About Photoshop (macOS). If the version shown is 27.4 or lower, you are vulnerable and should update before doing any further work involving external files. IT and security teams should audit endpoints via Creative Cloud reporting tools and flag any unpatched installs for immediate remediation.