Description
After Effects versions 25.6 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-02-10
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Adobe After Effects versions 25.6 and earlier possess an out‑of‑bounds read when parsing a specially crafted file. The vulnerability permits reading beyond the allocated memory structure, and the attacker can exploit this to run arbitrary code in the context of the user who opens the malicious file. This is a CWE-125 flaw.

Affected Systems

The affected product is Adobe After Effects, with versions 25.6 and earlier. The CPE entries indicate the flaw applies to installations on both macOS and Windows operating systems.

Risk and Exploitability

The CVSS score of 7.8 shows high severity, while the EPSS score of less than 1% suggests a low probability of current exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the victim to open a malicious file, which mandates user interaction. If successful, the attacker gains the privileges of that user.

Generated by OpenCVE AI on April 18, 2026 at 18:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Adobe After Effects update that includes the security fix for the out‑of‑bounds read vulnerability.
  • Configure After Effects or the operating system to sandbox or otherwise restrict the import of untrusted media files, limiting the attacker’s ability to activate the flaw.
  • Maintain up‑to‑date antivirus, intrusion detection, and monitoring tools that detect anomalous activity involving After Effects.

Generated by OpenCVE AI on April 18, 2026 at 18:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Feb 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Microsoft
Microsoft windows
CPEs cpe:2.3:a:adobe:after_effects:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Microsoft
Microsoft windows

Tue, 10 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe after Effects
Vendors & Products Adobe
Adobe after Effects

Tue, 10 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description After Effects versions 25.6 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title After Effects | Out-of-bounds Read (CWE-125)
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Adobe After Effects
Apple Macos
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-02-26T14:44:35.120Z

Reserved: 2025-12-12T22:01:18.194Z

Link: CVE-2026-21322

cve-icon Vulnrichment

Updated: 2026-02-10T19:34:10.897Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T18:16:29.770

Modified: 2026-02-11T17:37:15.623

Link: CVE-2026-21322

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:15:06Z

Weaknesses