Adobe has released critical security updates addressing three high-severity vulnerabilities (CVE-2025-30324, CVE-2025-30325, CVE-2025-30326) in Photoshop 2024 and 2025 that could enable arbitrary code execution on Windows and macOS systems.
The flaws, discovered by external researcher yjdfy through Adobe’s HackerOne bug bounty program, involve memory corruption risks stemming from integer manipulation and uninitialized pointer access.
While no active exploits have been observed, the patches released on May 13, 2025, mitigate attack vectors requiring user interaction through malicious file processing.
The vulnerabilities center on improper memory management during image file processing.
CVE-2025-30324 involves an integer underflow/wraparound error in Photoshop’s layer compositing engine, where subtracting larger values from smaller unsigned integers creates invalid memory offsets.
This could allow attackers to craft .PSD files that trigger buffer underwrite conditions, corrupting adjacent memory regions.
CVE-2025-30325 stems from an integer overflow in the CMYK color space conversion module. Specially constructed color profiles exceeding 32-bit integer limits during pixel calculations cause heap buffer overflows.
Both vulnerabilities scored 7.8 CVSSv3.1 ratings due to local attack vectors requiring user interaction via malicious file openings.
The third flaw, CVE-2025-30326, relates to Photoshop’s handling of legacy TIFF metadata tags.
Failure to initialize pointer references when reading Exif data from manipulated TIFF headers could dereference attacker-controlled memory addresses.
Adobe’s bulletin notes all three issues enable arbitrary code execution at the target’s privilege level, posing significant risks given Photoshop’s common use with elevated permissions.
Patch Deployment and Mitigation Strategies
Affected versions include Photoshop 2025 (26.5 and earlier) and Photoshop 2024 (25.12.2 and earlier) across both platforms.
The updates-version 26.6 for 2025 and 25.12.3 for 2024-strengthen bounds checking in raster operations and implement pointer validation routines.
Creative Cloud users receive automatic updates through the desktop app’s background service, though administrators must manually approve deployments in managed environments using the Admin Console.
Enterprise deployments should prioritize testing the patch’s compatibility with third-party plugins, as memory layout changes might affect legacy extensions.
Temporary mitigation for unpatched systems involves configuring Group Policy Objects (Windows) or Mobile Device Management profiles (macOS) to restrict Photoshop from opening files from untrusted sources.
However, Adobe emphasizes that these workarounds impair functionality and should not replace permanent patching.
Implications for Creative Professionals
These vulnerabilities highlight persistent challenges in securing complex graphics software against file-based attacks.
Despite Adobe’s $250,000 maximum bounty for critical flaws, the discovery by a single researcher suggests potential gaps in automated code auditing for memory corruption bugs.
The company’s PSIRT team has expanded its fuzzing infrastructure for image codecs since 2023, but edge cases in legacy format support remain problematic.
For users, the update underscores the importance of software lifecycle management-organizations still using Photoshop 2024 must weigh upgrade urgency against potential workflow disruptions.
Security analysts recommend sandboxing graphics software through virtualization or containerization, particularly for roles involving frequent external file exchanges.
Adobe’s transparent disclosure continues a trend of improved vendor responsiveness, with patches released within 90 days of initial researcher reporting.
As file-based attacks increasingly target creative industries, the incident reinforces the need for sector-specific threat intelligence sharing through platforms like CISA’s AIS network.
The updates mark Adobe’s fourth critical Photoshop patch in 2025, reflecting both intensified security research efforts and the software’s expanding attack surface from AI-driven features.
Users should validate their Creative Cloud update status immediately and audit recent file-processing activities for anomalies.
While current mitigations reduce exploit likelihood, the technical complexity of memory corruption flaws ensures persistent risks requiring ongoing vigilance.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Source link
