Description
After Effects versions 25.6 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-02-10
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution
Action: Patch
AI Analysis

Impact

After Effects versions 25.6 and earlier contain an out‑of‑bounds write flaw that can be triggered by opening a specially crafted file, allowing an attacker to corrupt memory and execute code with the victim’s privileges. Based on the description, it is inferred that this flaw could threaten confidentiality, integrity and availability, even though the CVE text does not explicitly list those impacts.

Affected Systems

Adobe After Effects 25.6 and older releases running on macOS or Windows are affected.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity, while the EPSS score of less than 1% suggests a low chance of immediate exploitation. The vulnerability is not in CISA’s KEV catalog. Exploitation requires user interaction: the victim must open a malicious file for the out‑of‑bounds write to trigger code execution in the user’s context. The most likely attack vector is via a malicious file presented to a user.

Generated by OpenCVE AI on April 18, 2026 at 12:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Adobe After Effects update that contains the patch, as detailed in Adobe’s security advisory
  • Configure the operating system or use sandboxing to restrict the application from processing untrusted files without explicit permission
  • Educate users to verify the source of files and avoid opening documents from unknown or untrusted origins

Generated by OpenCVE AI on April 18, 2026 at 12:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Microsoft
Microsoft windows
CPEs cpe:2.3:a:adobe:after_effects:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Microsoft
Microsoft windows

Tue, 10 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe after Effects
Vendors & Products Adobe
Adobe after Effects

Tue, 10 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description After Effects versions 25.6 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title After Effects | Out-of-bounds Write (CWE-787)
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Adobe After Effects
Apple Macos
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-02-26T14:44:35.501Z

Reserved: 2025-12-12T22:01:18.193Z

Link: CVE-2026-21318

cve-icon Vulnrichment

Updated: 2026-02-25T15:42:15.960Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T18:16:29.177

Modified: 2026-02-11T17:37:55.820

Link: CVE-2026-21318

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:00:08Z

Weaknesses