Description
After Effects versions 25.6 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-02-10
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Elevated Privileges – User‑level Code Execution
Action: Patch Now
AI Analysis

Impact

After Effects versions 25.6 and earlier contain an out‑of‑bounds read when parsing a crafted file. This vulnerability is classified as CWE‑125 and can enable an attacker to execute arbitrary code in the context of the user who opens the malicious file.

Affected Systems

Adobe After Effects 25.6 or earlier on both macOS and Windows operating systems are affected. Any installation of these versions can be compromised if a user opens a specially crafted file.

Risk and Exploitability

The CVSS score of 7.8 indicates moderate to high severity, but the EPSS score of less than 1% suggests a very low probability of real‑world exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires user interaction to open the malicious file, and the attack vector is likely local or through a social‑engineering approach that delivers the crafted document.

Generated by OpenCVE AI on April 17, 2026 at 20:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Adobe After Effects update (version 25.7 or later) as provided by Adobe’s security advisory.
  • Configure Adobe Creative Cloud to enable automatic updates and ensure that all installations receive the latest security patches.
  • Verify that files from untrusted sources are scanned or opened within a controlled environment to prevent accidental execution of malicious content.

Generated by OpenCVE AI on April 17, 2026 at 20:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Microsoft
Microsoft windows
CPEs cpe:2.3:a:adobe:after_effects:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Microsoft
Microsoft windows

Tue, 10 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe after Effects
Vendors & Products Adobe
Adobe after Effects

Tue, 10 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description After Effects versions 25.6 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title After Effects | Out-of-bounds Read (CWE-125)
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Adobe After Effects
Apple Macos
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-02-26T14:44:34.141Z

Reserved: 2025-12-12T22:01:18.194Z

Link: CVE-2026-21324

cve-icon Vulnrichment

Updated: 2026-02-25T15:42:13.331Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T18:16:30.080

Modified: 2026-02-11T17:36:45.697

Link: CVE-2026-21324

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:45:25Z

Weaknesses