Login Sign Up

CVE-2023-26354

5.5 MEDIUM

📋 TL;DR

CVE-2023-26354 is an out-of-bounds read vulnerability in Adobe Dimension that could allow an attacker to read sensitive memory information. This affects users of Adobe Dimension 3.4.7 and earlier versions who open malicious files. The vulnerability could help bypass security mitigations like ASLR.

💻 Affected Systems

Products:
  • Adobe Dimension
Versions: 3.4.7 and earlier
Operating Systems: Windows, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations of affected versions are vulnerable. User interaction required (opening malicious file).

📦 What is this software?

Dimension by Adobe

View all CVEs affecting Dimension →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could bypass ASLR protections and potentially chain this with other vulnerabilities to achieve arbitrary code execution or sensitive information disclosure.

🟠

Likely Case

Information disclosure leading to memory address leaks that could assist in developing more sophisticated attacks against the system.

🟢

If Mitigated

Limited impact with only memory information disclosure if proper file handling controls and user awareness are in place.

🌐 Internet-Facing: LOW - Exploitation requires user interaction to open malicious files, not directly exploitable over network.
🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or malicious file sharing, requiring user interaction.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires user to open a malicious file. No public exploit code available as per advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.4.8 or later

Vendor Advisory: https://helpx.adobe.com/security/products/dimension/apsb23-20.html

Restart Required: Yes

Instructions:

1. Open Adobe Dimension. 2. Go to Help > Check for Updates. 3. Follow prompts to install version 3.4.8 or later. 4. Restart the application.

🔧 Temporary Workarounds

Restrict file handling

all

Configure system to open .dim files only with patched Adobe Dimension version

User awareness training

all

Train users not to open untrusted .dim files from unknown sources

🧯 If You Can't Patch

  • Disable Adobe Dimension or restrict its use to trusted environments only
  • Implement application whitelisting to prevent execution of unpatched versions

🔍 How to Verify

Check if Vulnerable:

Check Adobe Dimension version in Help > About Adobe Dimension. If version is 3.4.7 or earlier, system is vulnerable.

Check Version:

On Windows: Check registry at HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Dimension\Version. On macOS: Check /Applications/Adobe Dimension.app/Contents/Info.plist for CFBundleShortVersionString

Verify Fix Applied:

Verify Adobe Dimension version is 3.4.8 or later in Help > About Adobe Dimension.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes with memory access violations
  • Unexpected file opens of .dim extension

Network Indicators:

  • Downloads of .dim files from untrusted sources

SIEM Query:

source="*" (event_id=1000 OR event_id=1001) AND process_name="Adobe Dimension.exe" AND exception_code=0xc0000005

📊 Metadata

CVE ID: CVE-2023-26354
CVSS v3 Score: 5.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CWE: CWE-125
Published: March 28, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-26354, you might also want to check these:

CVE-2021-41556 10.0

CVE-2021-41556 is a critical out-of-bounds read vulnerability in Squirrel scripting language that al...

Same vulnerability type (CWE-125)
CVE-2024-22004 10.0

This vulnerability allows attackers with privileged access on Linux non-secure operating systems to ...

Same vulnerability type (CWE-125)
CVE-2021-21777 10.0

CVE-2021-21777 is a critical out-of-bounds read vulnerability in the Ethernet/IP UDP handler of OpEN...

Same vulnerability type (CWE-125)