Do Son 
Adobe has released unscheduled security updates for Photoshop 2024 and 2025, addressing three critical vulnerabilities—CVE-2025-30324, CVE-2025-30325, and CVE-2025-30326—each assigned a CVSS score of 7.8. These flaws could allow attackers to execute arbitrary code on Windows and macOS systems by enticing users to open specially crafted files.
The vulnerabilities were discovered by independent researcher yjdfy through the HackerOne bug bounty program. The investigation revealed the issues stem from improper memory handling—specifically, flawed integer arithmetic and the use of uninitialized pointers. While no evidence of active exploitation has surfaced to date, the vulnerabilities can be triggered by opening malicious image files, requiring minimal user interaction.
The first of the three, CVE-2025-30324, involves a buffer overflow within Photoshop’s layer composition module. The flaw is triggered when a large integer is subtracted from a smaller one without adequate bounds checking, resulting in a negative memory offset that can corrupt adjacent memory regions. An attacker could craft a malicious .PSD file to exploit this vulnerability, causing an out-of-bounds write before the allocated buffer.
The second vulnerability, CVE-2025-30325, affects the processing of CMYK color space. It allows for a heap buffer overflow when excessively large values are inserted into the color profile, compromising memory integrity during pixel calculation. Both this and the first issue require local interaction—the victim must download and open a tainted file.
The third vulnerability, CVE-2025-30326, pertains to TIFF metadata processing. When reading Exif headers in a deprecated format, the application may reference an uninitialized pointer, enabling an attacker to manipulate subsequent memory operations.
Each of these flaws permits arbitrary code execution with the same privileges as the Photoshop process. Given that the software often runs with administrative rights, the potential risks are significantly heightened. The updates released on May 13, 2025, resolve the issues in versions 26.5 and 25.12.2, with patches rolled out in versions 26.6 and 25.12.3. Key mitigations include reinforced boundary checks in raster operations and stricter pointer validation routines.
For Creative Cloud users, updates are applied automatically. However, in enterprise environments, manual approval via the Admin Console is required. Adobe advises administrators to pre-test patch compatibility with plugins, as enhanced memory handling may disrupt legacy extensions.
As a temporary measure for unpatched systems, Adobe recommends restricting file access from untrusted sources using GPO policies (for Windows) or MDM profiles (for macOS). Nonetheless, such mitigations impair functionality and are no substitute for a full update.
This incident once again underscores the challenges of securing complex graphics software against file-based attacks. While Adobe has expanded its fuzzing infrastructure for codecs since 2023, vulnerabilities in legacy formats persist.
For organizations, this event serves as a critical reminder to revisit upgrade timelines, particularly for environments regularly exchanging files with external partners. Security professionals strongly advocate running graphic editors in isolated environments—via virtualization or containerization—to mitigate the impact of potential compromises.
Adobe continues to demonstrate commendable responsiveness: this marks the fourth critical Photoshop update of the year, reflecting the rising volume of threats and the increasing complexity of defense in the age of AI-enhanced functionality. Companies are urged to verify their Creative Cloud update status immediately and apply patches manually if needed. A review of recent file-handling activity is also recommended to detect any signs of suspicious behavior.
Donate