Description
After Effects versions 25.6 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-02-10
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution
Action: Apply Patch
AI Analysis

Impact

After Effects versions 25.6 and earlier contain an out‑of‑bounds write flaw that can be triggered when a user opens a specially crafted file. The vulnerability can lead to arbitrary code execution running under the privileges of the currently logged‑in user, potentially allowing an attacker to compromise the machine, exfiltrate data, or install malware.

Affected Systems

Adobe After Effects, versions 25.6 and earlier, running on both macOS and Windows platforms. The affected binaries are the standard installation packages available from Adobe’s distribution channels.

Risk and Exploitability

The risk is quantified by a CVSS score of 7.8, indicating moderate to high severity. However, the EPSS score is below 1 %, suggesting a low probability of real‑world exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a victim to open a malicious file, so the attack vector is user interaction with a document, making it a typical spear‑phishing or social engineering scenario.

Generated by OpenCVE AI on April 17, 2026 at 20:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Adobe After Effects to version 26.0 or later to receive the vendor‑issued fix for the out‑of‑bounds write flaw.
  • Enable and enforce automatic updates for Adobe applications so that future security patches are applied without manual intervention.
  • Restrict file types that can be opened by After Effects by implementing a trusted repository or quarantine mechanism, ensuring only vetted files are processed.
  • If an immediate upgrade cannot be performed, run After Effects within a sandbox or virtual machine to isolate the application from the host system until the patch is applied.

Generated by OpenCVE AI on April 17, 2026 at 20:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Microsoft
Microsoft windows
CPEs cpe:2.3:a:adobe:after_effects:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Microsoft
Microsoft windows

Tue, 10 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe after Effects
Vendors & Products Adobe
Adobe after Effects

Tue, 10 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description After Effects versions 25.6 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title After Effects | Out-of-bounds Write (CWE-787)
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Adobe After Effects
Apple Macos
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-02-26T14:44:36.784Z

Reserved: 2025-12-12T22:01:18.194Z

Link: CVE-2026-21327

cve-icon Vulnrichment

Updated: 2026-02-25T15:42:25.426Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T18:16:30.530

Modified: 2026-02-11T17:36:07.663

Link: CVE-2026-21327

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:45:25Z

Weaknesses