LiveActive security incident?Get immediate response
CVE Record

CVE-2021-36055: XMP Toolkit SDK Use After Free Vulnerability In ReadingXMPNewDOM Could Lead To Arbitrary Code Execution

XMP Toolkit SDK versions 2020.1 (and earlier) are affected by a use-after-free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

HighCVSS 7.8Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

This flaw is in Adobe’s XMP Toolkit SDK, used to read metadata in files. A malicious file could make an affected application run code as the person who opened it. Business urgency is highest where employees, content workflows, or automated processors open untrusted documents or media.

Executive priority

Treat as high priority for content-heavy teams and file-ingestion systems. The bug can lead to code execution, but requires opening a malicious file and has no active exploitation evidence in the provided sources.

Technical view

CVE-2021-36055 is a CWE-416 use-after-free in ReadingXMPNewDOM affecting XMP Toolkit SDK 2020.1 and earlier. CVSS 3.1 is 7.8, with local attack vector, no privileges required, user interaction required, and high confidentiality, integrity, and availability impact.

Likely exposure

Exposure depends on software that embeds Adobe XMP Toolkit SDK 2020.1 or earlier, or downstream packages such as Debian’s exempi. The bundle does not identify every affected application, so organizations need library and package inventory.

Exploitation context

The source bundle says exploitation requires a victim to open a malicious file. It does not show CISA KEV listing or cited evidence of active exploitation, so active exploitation should not be assumed.

Researcher notes

Focus on dependency provenance and downstream consumers. The core issue is memory safety in XMP parsing, not a remotely reachable network service unless an exposed workflow parses attacker-supplied files.

Mitigation direction

  • Update Adobe XMP Toolkit SDK according to Adobe APSB21-65 guidance.
  • Apply Debian exempi security updates where that package is present.
  • Inventory applications that parse XMP metadata from documents or media.
  • Reduce handling of untrusted files until affected parsers are patched.
  • Check vendor guidance for embedded or bundled XMP Toolkit copies.

Validation and detection

  • Identify XMP Toolkit SDK versions in source, binaries, and third-party dependencies.
  • Confirm Debian exempi packages include the relevant security update.
  • Review workflows that open external documents, images, PDFs, or media metadata.
  • Verify patched applications still parse benign XMP metadata correctly.
  • Check endpoint logs for suspicious crashes during file-open workflows.
Prepared
Confidence
high
Sources
5

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-416: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Execution behavior lookup

The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2021-36055 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
7.8 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
4Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
7.8CVSS 3.1HighCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H1.85.9Primary CVE score

Vulnerability scoring details

Base CVSS 3.1 score

7.8High
CVSS 3.1 vector shape for CVE-2021-36055Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
AdobeXMP Toolkitunspecified, unspecifiedListed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-416 · source CWE mapping

Use After Free

Use After Free represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.