CVE-2026-34632: Adobe Photoshop Installer RCE Vulnerability

CVE-2026-34632 Overview

Adobe Photoshop Installer was affected by an Uncontrolled Search Path Element vulnerability (CWE-427) that could result in arbitrary code execution in the context of the current user. A low-privileged local attacker could exploit this vulnerability by manipulating the search path used by the application to locate critical resources, potentially causing unauthorized code execution. Exploitation of this issue requires user interaction in that a user must be running the installer.

Critical Impact

Local attackers can achieve arbitrary code execution by manipulating the DLL search path, potentially leading to complete system compromise with the privileges of the current user.

Affected Products

• Adobe Photoshop Installer
• Adobe Creative Cloud Desktop Applications
• Windows-based Adobe Installer Components

Discovery Timeline

• April 15, 2026 - CVE-2026-34632 published to NVD
• April 15, 2026 - Last updated in NVD database

Technical Details for CVE-2026-34632

Vulnerability Analysis

This vulnerability is classified as an Uncontrolled Search Path Element issue, as defined by MITRE CWE-427. When the Adobe Photoshop Installer executes, it searches for required DLL files using a predictable search order. An attacker with local access can place a malicious DLL in a location that is searched before the legitimate system directories, causing the installer to load and execute the attacker-controlled code.

The attack requires local access to the system and user interaction, as the victim must execute the installer while the malicious DLL is present in the search path. Once loaded, the malicious code executes with the same privileges as the user running the installer, which could include administrative rights if the installation is being performed with elevated privileges.

Root Cause

The root cause of this vulnerability lies in the Adobe Photoshop Installer's failure to properly specify absolute paths when loading dynamic link libraries. Instead of using fully qualified paths to load required DLLs, the installer relies on the Windows DLL search order, which includes user-writable directories such as the current working directory. This allows an attacker to perform DLL hijacking by placing a malicious DLL with an expected name in a directory that is searched before the legitimate system directories.

Attack Vector

This vulnerability requires local access to the target system. An attacker must:

1. Identify which DLLs the Adobe Photoshop Installer attempts to load during execution
2. Create a malicious DLL with the same name as a legitimately expected library
3. Place the malicious DLL in a location that will be searched before the legitimate DLL path (such as the directory containing the installer or the user's PATH)
4. Wait for or convince a user to run the Adobe Photoshop Installer
5. Upon execution, the installer loads the attacker's malicious DLL, executing arbitrary code in the context of the current user

The attacker-controlled code can then perform any actions permitted by the user's privilege level, including data exfiltration, malware installation, or further privilege escalation.

Detection Methods for CVE-2026-34632

Indicators of Compromise

• Unexpected DLL files present in the same directory as the Adobe Photoshop Installer executable
• DLL files with suspicious timestamps or unsigned code in user-writable directories
• Process execution anomalies where the Adobe installer spawns unexpected child processes
• Registry or file system modifications originating from the installer process that deviate from normal installation behavior

Detection Strategies

• Monitor for DLL loading events from non-standard paths during Adobe installer execution using tools like Sysmon or EDR solutions
• Implement application whitelisting to detect unauthorized DLL loading
• Use behavioral analysis to identify installer processes performing unexpected operations such as network connections or spawning shells
• Deploy SentinelOne's behavioral AI to detect DLL hijacking attempts in real-time

Monitoring Recommendations

• Configure Windows Event Logging to capture DLL load events (Event ID 7) for Adobe-related processes
• Enable audit policies for object access to track file creation in directories commonly targeted for DLL hijacking
• Implement SentinelOne Singularity platform for continuous endpoint monitoring and automated threat response
• Regularly audit system directories and user PATH locations for suspicious DLL files

How to Mitigate CVE-2026-34632

Immediate Actions Required

• Download Adobe Photoshop Installer only from official Adobe sources and verify file integrity before execution
• Run installers from a clean, isolated directory that does not contain any untrusted files
• Clear the current working directory and verify no suspicious DLLs are present before running the installer
• Consider running the installer in a sandboxed environment or virtual machine for additional isolation

Patch Information

Adobe is expected to address this vulnerability in a future security update. Administrators should monitor the Adobe Security Bulletins page for official patch announcements. Apply vendor-provided patches as soon as they become available to fully remediate this vulnerability.

Workarounds

• Execute the installer from a dedicated, clean directory with no additional files present
• Verify the digital signature of the installer executable before running it
• Use Windows SafeDLL search mode by ensuring the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode registry key is enabled
• Implement application control policies to restrict DLL loading from untrusted locations
• Deploy endpoint protection solutions like SentinelOne to detect and block DLL hijacking attempts

Organizations should implement defense-in-depth strategies including strict access controls on user directories and regular security awareness training regarding the risks of running installers from untrusted locations.