Adobe’s memory safety roadmap: Securing creativity by design

At Adobe, we believe creativity and security go hand in hand. Our commitment is to empower creative expression while upholding high standards of software safety. With over 80 million monthly active users across our desktop products, we recognize our responsibility to innovate in secure software development. Adobe is announcing our adoption of a roadmap to help eliminate memory safety vulnerabilities across our desktop product portfolio. We are proud to share this roadmap and further demonstrate our dedication to building a safer digital future.

Why memory safety matters

Some popular computer programming languages have greater exposure to vulnerabilities involving improper access or manipulation of program memory. Memory safety vulnerabilities, such as buffer overflows and use-after-free errors, remain one of the most exploited classes of software flaws. Industry data shows that up to 70 percent of critical vulnerabilities in C and C++ programming language-based systems stem from memory safety issues. Adobe’s own vulnerability assessments indicate that memory safety issues represent the most significant category of security concerns that we are addressing in our desktop products.

Left unresolved, these flaws can have real-world impact on our customers. That’s why we recognize the seriousness of these threats and are taking decisive action to remediate them.

Adobe’s approach to memory safety

As part of our long-standing commitment to product security, Adobe is adopting a roadmap to help eliminate memory safety vulnerabilities across our desktop product portfolio. This multi-pronged, risk-based approach is designed to align with guidance from the Cybersecurity and Infrastructure Security Agency (CISA) and global cybersecurity agencies. Our roadmap includes:

1. Secure Foundations

• Software Bill of Materials (SBOMs): Automating SBOM generation for desktop product releases to enable quicker identification of memory safety vulnerabilities in our third-party code.
• Compiler Hardening: Enabling modern compiler protections (e.g., UBSan) across C and C++ codebases to help flag and remedy memory safety vulnerabilities early in the development process.

2. Proactive Defenses

• Fuzz Testing at Scale: Expanding fuzzing coverage across shared libraries and product-specific components to quickly identify vulnerabilities.
• Sandboxing: Extending sandboxing beyond Acrobat and Reader to isolate file parsing logic.

3. Secure-by-Design Development

• Memory Safe Languages: Adopting Rust and Swift for new safety-critical components to help prevent memory-safety vulnerabilities by design.
• Modernization of Legacy Code: Rewriting higher-risk components or applying rigorous fuzzing and sandboxing to eliminate or contain vulnerabilities within these legacy systems.

With these three strategies in place, we can effectively secure first- and third-party legacy code as well as put foundations in place for safe future development.

Looking ahead

By the end of 2028, our goal is to harden our desktop products against memory safety exploits in file parsing and decoding logic. This initiative will enhance protection for our customers from file-based, one-click attacks, such as those that occur when opening unknown attachments or files from the Internet. Looking further ahead, by 2030, we are committed to reducing the use of new C and C++ code in our products to a fraction of current levels.

Trust drives Adobe’s adoption of this roadmap. Trust empowers creativity, and it starts with secure software that protects our users every day. From government agencies to enterprises and creative professionals worldwide, our customers depend on Adobe to help safeguard their work and respect privacy. Adobe is committed to continually earning and upholding that trust through our ongoing innovation and commitment to security.