Adobe: Five CVEs Across DNG SDK and Chrome PDF Extension Disclosed June 16

Key findings

• Adobe disclosed 5 CVEs on June 16, 2026: 4 in DNG SDK, 1 in Acrobat PDF Extension for Chrome
• CVE-2026-47964 is a heap-based buffer overflow in DNG SDK rated High (CVSS 7.8), enabling arbitrary code execution
• Three DNG SDK CVEs (CVE-2026-47963, CVE-2026-47934, CVE-2026-47927) are out-of-bounds read flaws rated Medium
• CVE-2026-48294 is a UXSS cross-origin data disclosure bug in the Chrome PDF extension
• All vulnerabilities require user interaction (opening a malicious file or visiting a malicious page)
• Patched versions: DNG SDK 1.7.1 2537+, Acrobat PDF Extension 26.5.2.3+

Adobe released a batch of five security advisories on June 16, 2026, covering vulnerabilities in the DNG SDK and the Adobe Acrobat PDF Extension for Chrome. The disclosures span two distinct products, with the bulk of the CVEs — four out of five — affecting the DNG SDK, a widely used library for processing Adobe's Digital Negative raw image format. The most severe of the flaws carries a CVSS score of 7.8 and could lead to arbitrary code execution, making this batch particularly relevant for developers and organizations that integrate the DNG SDK into imaging workflows.

DNG SDK: One Heap Overflow, Three Out-of-Bounds Reads

The DNG SDK received four patches in this release. The most critical is CVE-2026-47964, a heap-based buffer overflow vulnerability rated High (CVSS 7.8). An attacker who convinces a victim to open a specially crafted DNG file could trigger memory corruption and achieve arbitrary code execution in the context of the current user. Given the SDK's use in photo-editing software, digital asset management tools, and camera firmware pipelines, a successful exploit could compromise the host application or system.

The remaining three DNG SDK CVEs — CVE-2026-47963, CVE-2026-47934, and CVE-2026-47927 — are all out-of-bounds read vulnerabilities, each rated Medium (CVSS 5.5). While lower in severity, these flaws could allow an attacker to leak sensitive memory contents by enticing a user to open a malicious DNG file. Out-of-bounds reads are often chained with other bugs in exploit chains, making them worth patching even when they do not directly enable code execution.

Adobe Acrobat PDF Extension (Chrome): UXSS Data Disclosure

The fifth CVE, CVE-2026-48294, affects the Adobe Acrobat PDF Extension for Chrome, versions 26.5.2.2 and earlier. This is a UXSS-class (Universal XSS) cross-origin data disclosure vulnerability. An attacker could exploit it to access data from a victim's browsing session, potentially reading content from other websites the user has open. Like the DNG bugs, exploitation requires user interaction — the victim must visit a malicious page or open a crafted PDF through the extension.

Patch Status and Mitigations

Adobe has released updates for all five CVEs. For the DNG SDK, users should upgrade to version 1.7.1 2537 or later. The Adobe Acrobat PDF Extension for Chrome should be updated to version 26.5.2.3 or later via the Chrome Web Store's automatic update mechanism. No workarounds have been published for either product; applying the latest updates is the recommended course of action.

Why This Batch Matters

While none of these CVEs are reported as being exploited in the wild at the time of disclosure, the DNG SDK's broad integration across the imaging ecosystem means the heap overflow in CVE-2026-47964 warrants close attention. Developers who bundle the SDK should prioritize updating their dependencies, and end users should ensure their photo-editing applications are running patched versions. The Chrome extension vulnerability, meanwhile, highlights the ongoing risk of browser extensions that handle cross-origin content — a reminder that even trusted tools can introduce session-data exposure if left unpatched.