Login Sign Up

CVE-2023-26350

5.5 MEDIUM

📋 TL;DR

CVE-2023-26350 is an out-of-bounds read vulnerability in Adobe Dimension that could allow an attacker to read sensitive memory information. This affects users of Adobe Dimension 3.4.7 and earlier versions who open malicious files. The vulnerability could help bypass security mitigations like ASLR.

💻 Affected Systems

Products:
  • Adobe Dimension
Versions: 3.4.7 and earlier
Operating Systems: Windows, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: All installations of affected versions are vulnerable by default when processing files.

📦 What is this software?

Dimension by Adobe

View all CVEs affecting Dimension →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could leverage memory disclosure to bypass ASLR and chain with other vulnerabilities for arbitrary code execution or system compromise.

🟠

Likely Case

Information disclosure leading to memory address leaks that could assist in developing more sophisticated attacks against the system.

🟢

If Mitigated

Limited to information disclosure without direct code execution if proper memory protections are in place.

🌐 Internet-Facing: LOW - Exploitation requires user interaction to open malicious files, not directly exploitable over network.
🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or malicious files, but requires user interaction.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires user interaction (opening malicious file) and likely requires chaining with other vulnerabilities for full compromise.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.4.8 or later

Vendor Advisory: https://helpx.adobe.com/security/products/dimension/apsb23-20.html

Restart Required: Yes

Instructions:

1. Open Adobe Dimension. 2. Go to Help > Check for Updates. 3. Follow prompts to install version 3.4.8 or later. 4. Restart the application.

🔧 Temporary Workarounds

Restrict file opening

all

Only open Dimension files from trusted sources and avoid opening unexpected files.

Application control

all

Use application whitelisting to restrict execution of Adobe Dimension to trusted users only.

🧯 If You Can't Patch

  • Restrict user permissions to limit potential impact if exploitation occurs
  • Implement network segmentation to isolate systems running vulnerable versions

🔍 How to Verify

Check if Vulnerable:

Check Adobe Dimension version in Help > About Adobe Dimension. If version is 3.4.7 or earlier, system is vulnerable.

Check Version:

On Windows: Check version in Help > About. On macOS: Adobe Dimension > About Adobe Dimension.

Verify Fix Applied:

Verify version is 3.4.8 or later in Help > About Adobe Dimension.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes or unexpected behavior when opening Dimension files
  • Security software alerts for memory access violations

Network Indicators:

  • Unusual file downloads preceding application issues
  • Phishing emails with Dimension file attachments

SIEM Query:

source="*adobe*" AND (event_type="crash" OR event_type="exception") AND process_name="Adobe Dimension"

📊 Metadata

CVE ID: CVE-2023-26350
CVSS v3 Score: 5.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CWE: CWE-125
Published: March 28, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-26350, you might also want to check these:

CVE-2021-41556 10.0

CVE-2021-41556 is a critical out-of-bounds read vulnerability in Squirrel scripting language that al...

Same vulnerability type (CWE-125)
CVE-2024-22004 10.0

This vulnerability allows attackers with privileged access on Linux non-secure operating systems to ...

Same vulnerability type (CWE-125)
CVE-2021-21777 10.0

CVE-2021-21777 is a critical out-of-bounds read vulnerability in the Ethernet/IP UDP handler of OpEN...

Same vulnerability type (CWE-125)