CVE-2026-21349 – Lightroom Desktop versions 15.1 and earlier con... (How to Fix)

Q: What is the severity of CVE-2026-21349?

CVE-2026-21349 has a CVSS score of 7.8 (HIGH). Lightroom Desktop versions 15.1 and earlier contain an out-of-bounds write vulnerability that could allow attackers to execute arbitrary code when users open malicious files. This affects all users running vulnerable versions of Adobe Lightroom Desktop. Successful exploitation requires user interaction through opening a specially crafted file.

📋 TL;DR

Lightroom Desktop versions 15.1 and earlier contain an out-of-bounds write vulnerability that could allow attackers to execute arbitrary code when users open malicious files. This affects all users running vulnerable versions of Adobe Lightroom Desktop. Successful exploitation requires user interaction through opening a specially crafted file.

💻 Affected Systems

Products:

Adobe Lightroom Desktop

Versions: 15.1 and earlier

Operating Systems: Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of affected versions are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Lightroom by Adobe

View all CVEs affecting Lightroom →

Lightroom by Adobe

View all CVEs affecting Lightroom →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the user's system, data theft, ransomware deployment, and lateral movement within the network.

🟠

Likely Case

Local privilege escalation leading to data exfiltration, malware installation, or system disruption for the affected user account.

🟢

If Mitigated

Limited impact with proper application sandboxing, user account restrictions, and file validation controls in place.

🌐 Internet-Facing: LOW - Exploitation requires local file access and user interaction, not directly exploitable over network.

🏢 Internal Only: MEDIUM - Risk exists if users open malicious files from internal sources like email attachments or network shares.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction (opening malicious file) and knowledge of memory corruption techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 15.2 or later

Vendor Advisory: https://helpx.adobe.com/security/products/lightroom/apsb26-06.html

Restart Required: Yes

Instructions:

1. Open Adobe Creative Cloud application 2. Navigate to Apps tab 3. Find Lightroom Desktop 4. Click Update button 5. Restart Lightroom after update completes

🔧 Temporary Workarounds

Restrict file opening

all

Configure Lightroom to only open trusted file types or from trusted locations

Application sandboxing

all

Run Lightroom in restricted mode or sandboxed environment

🧯 If You Can't Patch

Restrict user permissions to limit potential damage from code execution
Implement application whitelisting to prevent unauthorized executables from running

🔍 How to Verify

Check if Vulnerable:

Check Lightroom version via Help > About Lightroom. If version is 15.1 or earlier, system is vulnerable.

Check Version:

Not applicable - check via application GUI

Verify Fix Applied:

Verify version is 15.2 or later in Help > About Lightroom menu.

📡 Detection & Monitoring

Log Indicators:

Unexpected Lightroom crashes
Suspicious file opening events
Unusual process creation from Lightroom

Network Indicators:

Unexpected outbound connections from Lightroom process

SIEM Query:

Process creation where parent_process contains 'lightroom' and process_name not in approved_list

📊 Metadata

CVE ID: CVE-2026-21349

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: February 10, 2026

Last Updated: February 19, 2026

🔗 References

https://helpx.adobe.com/security/products/lightroom/apsb26-06.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-21349, you might also want to check these: