CVE-2021-36055 – CVE-2021-36055 is a use-after-free vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2021-36055?

CVE-2021-36055 has a CVSS score of 7.8 (HIGH). CVE-2021-36055 is a use-after-free vulnerability in Adobe XMP Toolkit SDK that could allow arbitrary code execution when a user opens a malicious file. This affects applications that process XMP metadata, potentially compromising the current user's system. Users of affected software versions are vulnerable to exploitation through crafted files.

📋 TL;DR

CVE-2021-36055 is a use-after-free vulnerability in Adobe XMP Toolkit SDK that could allow arbitrary code execution when a user opens a malicious file. This affects applications that process XMP metadata, potentially compromising the current user's system. Users of affected software versions are vulnerable to exploitation through crafted files.

💻 Affected Systems

Products:

Adobe XMP Toolkit SDK
Applications using XMP Toolkit SDK for metadata processing

Versions: 2020.1 and earlier versions

Operating Systems: All platforms where XMP Toolkit SDK is used

Default Config Vulnerable: ⚠️ Yes

Notes: Any application that processes XMP metadata using vulnerable SDK versions is affected. This includes various Adobe products and third-party applications.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Xmp Toolkit Software Development Kit by Adobe

View all CVEs affecting Xmp Toolkit Software Development Kit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the user's account and executing arbitrary code with user privileges.

🟠

Likely Case

Malicious file execution leading to malware installation, data theft, or ransomware deployment on the affected system.

🟢

If Mitigated

Limited impact with proper application sandboxing and user privilege restrictions, potentially containing the exploit to the application context.

🌐 Internet-Facing: LOW - Exploitation requires user interaction with malicious files, not directly exploitable over network.

🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or malicious documents, but requires user interaction.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction (opening malicious file) and understanding of XMP metadata structures. No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: XMP Toolkit SDK 2021.07 and later

Vendor Advisory: https://helpx.adobe.com/security/products/xmpcore/apsb21-65.html

Restart Required: Yes

Instructions:

1. Identify applications using XMP Toolkit SDK. 2. Update to XMP Toolkit SDK 2021.07 or later. 3. Update any applications that bundle the vulnerable SDK. 4. Restart affected applications and systems.

🔧 Temporary Workarounds

Application Control

all

Restrict execution of applications that process XMP metadata from untrusted sources

File Type Restrictions

all

Block or sandbox processing of files containing XMP metadata from untrusted sources

🧯 If You Can't Patch

Implement application sandboxing to limit potential damage from exploitation
Educate users about risks of opening files from untrusted sources and implement email filtering

🔍 How to Verify

Check if Vulnerable:

Check application documentation or vendor information to determine if XMP Toolkit SDK 2020.1 or earlier is used

Check Version:

Application-specific - consult vendor documentation for version checking

Verify Fix Applied:

Verify XMP Toolkit SDK version is 2021.07 or later through application documentation or vendor verification

📡 Detection & Monitoring

Log Indicators:

Application crashes when processing files
Unexpected process execution from media applications

Network Indicators:

Unusual outbound connections from media processing applications

SIEM Query:

Process creation events from media applications followed by suspicious network connections

📊 Metadata

CVE ID: CVE-2021-36055

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: September 1, 2021

Last Updated: November 3, 2025

🔗 References

https://helpx.adobe.com/security/products/xmpcore/apsb21-65.html Patch,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/09/msg00032.html Mailing List,Third Party Advisory
https://helpx.adobe.com/security/products/xmpcore/apsb21-65.html Patch,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/09/msg00032.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/08/msg00003.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-36055, you might also want to check these: