CVE-2025-30326: 
Adobe Photoshop vulnerability analysis and mitigation

Adobe Photoshop Desktop versions 26.5, 25.12.2 and earlier are affected by an Access of Uninitialized Pointer vulnerability (CVE-2025-30326). The vulnerability was discovered and initially disclosed on May 13, 2025, through Adobe's HackerOne bug bounty program by researcher yjdfy. This security flaw requires user interaction, specifically opening a malicious file, to be exploited (NVD, Wiz).

The vulnerability is classified as CWE-824 (Access of Uninitialized Pointer) and has received a CVSS v3.1 base score of 7.8 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The flaw specifically relates to Photoshop's handling of legacy TIFF metadata tags, where failure to initialize pointer references when reading Exif data from manipulated TIFF headers could lead to dereferencing attacker-controlled memory addresses (Wiz).

If successfully exploited, this vulnerability could result in arbitrary code execution in the context of the current user. The impact is particularly significant given Photoshop's common use with elevated permissions (Wiz).

Adobe has released patches to address this vulnerability - version 26.6 for Photoshop 2025 and version 25.12.3 for Photoshop 2024. Creative Cloud users receive automatic updates through the desktop app's background service. For unpatched systems, temporary mitigation involves configuring Group Policy Objects (Windows) or Mobile Device Management profiles (macOS) to restrict Photoshop from opening files from untrusted sources, though Adobe emphasizes these workarounds should not replace permanent patching (Wiz).