cbcvebase.
CVE-2012-2052
published 2014-06-19

CVE-2012-2052: Stack-based buffer overflow in the U3D.8BI library plugin in Adobe Photoshop CS5 12.x before 12.0.5 and CS5.1 12.1.x before 12.1.1 allows remote attackers to…

PriorityP265critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
23.32%
97.5th percentile
Stack-based buffer overflow in the U3D.8BI library plugin in Adobe Photoshop CS5 12.x before 12.0.5 and CS5.1 12.1.x before 12.1.1 allows remote attackers to execute arbitrary code via a long Collada asset element in a DAE file, as demonstrated by the cameraYFov value in the contributor comments element.

Affected

6 ranges
VendorProductVersion rangeFixed in
adobephotoshop_cs5
adobephotoshop_cs5
adobephotoshop_cs5
adobephotoshop_cs5
adobephotoshop_cs5
adobephotoshop_cs5.1

Detection & IOCsextracted from sources · hover to see the quote

filenameU3D.8BI
commandcameraYFov=1;
bytes
aaaabbbA<EIP>ccddddeeeeffffgggghhhhiiiijjjjkkkkllllmmmmnnnnooooppppqqqqrrrrssssttttuuuuvvvvwwwwxxxxyyyy
  • Detect DAE (Collada) files with abnormally long contributor comment strings, specifically oversized cameraYFov values, as these trigger the stack overflow in U3D.8BI when opened in Adobe Photoshop CS5/CS5.1.
  • Flag DAE files where the contributor comments element contains a string of 170+ repeated characters immediately preceding 'cameraYFov=1;', followed by ~1400 bytes of padding — a pattern consistent with stack-smashing exploit construction.
  • Monitor Photoshop process for stack-based EIP overwrite patterns; the exploit overwrites the return address (EIP) after a fixed 170-byte prefix followed by 'cameraYFov=1;' and ~1400 bytes of controlled data.
  • Inspect DAE files for the Collada Maya export options header string as a delivery vehicle; malicious files mimic legitimate Maya/ColladaMaya exports to appear benign.
  • ·Vulnerable versions are strictly Adobe Photoshop CS5 12.x before 12.0.5 and CS5.1 12.1.x before 12.1.1; patched versions are not affected.
  • ·The overflow is triggered specifically through the U3D.8BI plugin; disabling or removing this plugin on unpatched systems reduces attack surface.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.