Adobe has released critical security updates for Photoshop on both Windows and macOS platforms after discovering multiple severe vulnerabilities that could allow attackers to execute arbitrary code on victims’ systems.
The security bulletin addresses three critical flaws affecting Photoshop 2025 (version 26.5 and earlier) and Photoshop 2024 (version 25.12.2 and earlier).
Multiple Critical Flaws Discovered in Adobe Photoshop
The most concerning aspect of these flaws is their potential to allow threat actors to execute arbitrary code on affected systems, potentially leading to complete system compromise.
.png
)
The first vulnerability (CVE-2025-30324) is classified as an Integer Underflow (Wrap or Wraparound) weakness, following the Common Weakness Enumeration standard CWE-191.
This type of flaw occurs when mathematical operations cause an integer value to wrap around its minimum or maximum, leading to unexpected behavior that attackers can exploit.
The second vulnerability (CVE-2025-30325) involves an Integer Overflow or Wraparound issue (CWE-190), where mathematical operations cause a similar boundary violation but in the opposite direction.
Both integer-related vulnerabilities received a Critical severity rating with a CVSS base score of 7.8.
The third vulnerability (CVE-2025-30326) stems from Access of Uninitialized Pointer (CWE-824), where the software attempts to access memory via a pointer before it has been initialized.
This flaw also received a Critical severity rating with the same CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.
According to Adobe’s security bulletin, successful exploitation of any of these vulnerabilities could lead to arbitrary code execution in the context of the current user.
If the user has administrative privileges, an attacker could potentially take complete control of the affected system, install programs, view, change, or delete data, or create new accounts with full user rights.
“Fortunately, Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates,” the company stated in its security bulletin.
However, security experts recommend immediate patching due to the critical nature of these flaws.
| CVEs | Affected Products | Impact | Exploit Prerequisites | CVSS 3.1 Score |
| CVE-2025-30324CVE-2025-30325 CVE-2025-30326 | Photoshop 2025 (≤26.5), Photoshop 2024 (≤25.12.2) | Arbitrary Code Execution | Local access, user interaction, no privileges | 7.8 (Critical) |
Security Updates Available
Adobe has released updated versions of the affected software to address these vulnerabilities. Users of Photoshop 2025 should update to version 26.6, while Photoshop 2024 users should update to version 25.12.3.
The company has assigned a Priority 3 rating to these updates, indicating the vulnerabilities affect products that have historically not been targeted by attackers.
Users can update their software via the Creative Cloud desktop application’s update mechanism. For managed environments, IT administrators can deploy the updates through the Admin Console.
Adobe acknowledged security researcher “yjdfy” for responsibly disclosing all three vulnerabilities and collaborating with the company to protect customers.
The company maintains a public bug bounty program with HackerOne for external security researchers interested in contributing to Adobe’s security efforts.
All Photoshop users are strongly urged to update to the latest versions-Photoshop 2025 (26.6) and Photoshop 2024 (25.12.3)-as soon as possible to mitigate any risk. Staying vigilant and keeping software current remains the best defense against evolving cyber threats.
Leveraging Defensive AI for Endpoint Security to stop threats with 99.5% accuracy – Join Free Seminar
