Adobe has released critical security updates for Photoshop on Windows and macOS. These updates fix severe vulnerabilities that could let attackers run arbitrary code on victims’ systems.
Multiple Critical Flaws in Adobe Photoshop
The security bulletin addresses three critical flaws in:
- Photoshop 2025 (version 26.5 and earlier)
- Photoshop 2024 (version 25.12.2 and earlier)
The most serious risk is arbitrary code execution. This could lead to full system compromise if exploited.
Details of the Vulnerabilities
- CVE-2025-30324: Integer Underflow (Wraparound) – CWE-191
- CVE-2025-30325: Integer Overflow or Wraparound – CWE-190
- CVE-2025-30326: Access of Uninitialized Pointer – CWE-824
Both integer vulnerabilities can cause values to exceed their limits, leading to unexpected behavior. The uninitialized pointer flaw occurs when the software tries to access memory before it is set, causing potential system compromise.
All three flaws have a Critical severity rating with a CVSS base score of 7.8.
Potential Impact of Exploitation
If exploited, these vulnerabilities allow code execution in the context of the current user. If the user has administrative privileges, an attacker could:
- Take complete control of the system
- Install programs
- View, change, or delete data
- Create new user accounts
Adobe confirmed no active exploitation in the wild. Still, experts recommend immediate patching due to the critical risks.
Summary Table of Vulnerabilities
| CVEs | Affected Products | Impact | Exploit Prerequisites | CVSS 3.1 Score |
|---|---|---|---|---|
| CVE-2025-30324 CVE-2025-30325 CVE-2025-30326 |
Photoshop 2025 (≤26.5) Photoshop 2024 (≤25.12.2) |
Arbitrary Code Execution | Local access, user interaction, no privileges | 7.8 (Critical) |
Security Updates Available
Adobe has released patched versions:
- Photoshop 2025 updated to version 26.6
- Photoshop 2024 updated to version 25.12.3
These updates have a Priority 3 rating. This indicates the products have historically not been a common target, but patching remains essential.
Users can update through the Creative Cloud desktop app. IT administrators can use the Admin Console for managed environments.
Responsible Disclosure and Adobe’s Bug Bounty
Adobe credited security researcher “yjdfy” for responsibly disclosing all three vulnerabilities. The researcher collaborated with Adobe to ensure customer safety.
Adobe encourages other researchers to participate in its public bug bounty program on HackerOne.
Update Recommended Immediately
All Photoshop users are strongly urged to update to:
- Photoshop 2025 (26.6)
- Photoshop 2024 (25.12.3)
Keeping software updated remains the best defense against cyber threats. Users should stay vigilant and apply updates promptly.
