CVE-2021-36064 – CVE-2021-36064 is a buffer underflow vulnerabil... (How to Fix)

Q: What is the severity of CVE-2021-36064?

CVE-2021-36064 has a CVSS score of 7.8 (HIGH). CVE-2021-36064 is a buffer underflow vulnerability in Adobe XMP Toolkit that could allow arbitrary code execution when a user opens a malicious file. This affects users of software that incorporates XMP Toolkit version 2020.1 or earlier for metadata processing. Attackers could exploit this to run malicious code with the victim's privileges.

📋 TL;DR

CVE-2021-36064 is a buffer underflow vulnerability in Adobe XMP Toolkit that could allow arbitrary code execution when a user opens a malicious file. This affects users of software that incorporates XMP Toolkit version 2020.1 or earlier for metadata processing. Attackers could exploit this to run malicious code with the victim's privileges.

💻 Affected Systems

Products:

Adobe XMP Toolkit
Software using XMP Toolkit library

Versions: 2020.1 and earlier versions

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects any application that uses vulnerable XMP Toolkit versions for parsing metadata in files like PDFs, images, or documents.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Xmp Toolkit Software Development Kit by Adobe

View all CVEs affecting Xmp Toolkit Software Development Kit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through arbitrary code execution leading to data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Malware installation or data exfiltration when users open specially crafted files containing malicious metadata.

🟢

If Mitigated

No impact if patched or if users avoid opening untrusted files from unknown sources.

🌐 Internet-Facing: LOW - Exploitation requires user interaction with malicious files, not directly network exploitable.

🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or malicious documents, but requires user interaction.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction (opening malicious file) and knowledge of buffer underflow conditions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: XMP Toolkit 2021.07 or later

Vendor Advisory: https://helpx.adobe.com/security/products/xmpcore/apsb21-65.html

Restart Required: Yes

Instructions:

1. Identify applications using XMP Toolkit. 2. Update to XMP Toolkit 2021.07 or later. 3. Update dependent applications. 4. Restart affected services/applications.

🔧 Temporary Workarounds

Restrict file types

all

Block or restrict opening of file types that use XMP metadata processing from untrusted sources

Application sandboxing

all

Run applications that process XMP metadata in restricted environments or sandboxes

🧯 If You Can't Patch

Implement application whitelisting to prevent execution of unauthorized applications
Deploy endpoint protection with behavioral analysis to detect exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check XMP Toolkit version in applications or libraries. Version 2020.1 or earlier is vulnerable.

Check Version:

Check application documentation or use dependency scanning tools to identify XMP Toolkit versions.

Verify Fix Applied:

Verify XMP Toolkit version is 2021.07 or later in all applications.

📡 Detection & Monitoring

Log Indicators:

Application crashes when processing files
Unexpected process execution from document viewers

Network Indicators:

Outbound connections initiated after opening files

SIEM Query:

Process creation events from document processing applications followed by network connections

📊 Metadata

CVE ID: CVE-2021-36064

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-124

Published: September 1, 2021

Last Updated: November 3, 2025

🔗 References

https://helpx.adobe.com/security/products/xmpcore/apsb21-65.html Patch,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/09/msg00032.html Mailing List,Third Party Advisory
https://helpx.adobe.com/security/products/xmpcore/apsb21-65.html Patch,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/09/msg00032.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/08/msg00003.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-36064, you might also want to check these: