Description
After Effects versions 25.6 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-02-10
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Code Execution
Action: Patch Now
AI Analysis

Impact

CVE-2026-21328 is an out-of-bounds write vulnerability present in Adobe After Effects versions 25.6 and earlier. The flaw allows an attacker to corrupt memory when parsing a malicious file, leading to arbitrary code execution in the user’s context. The primary impact is that a specially crafted After Effects project can execute code on the target system without requiring elevated privileges.

Affected Systems

Affected products include Adobe After Effects on both macOS and Windows platforms. Versions 25.6 and earlier are vulnerable. No specific operating‑system version is restricted; the vulnerability exists across all supported OS releases listed in the CPE entries.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.8, indicating high damage potential, while the EPSS score is reported as less than 1%, and it is not listed in the CISA KEV catalog. Exploitation requires user interaction: the victim must open a malicious After Effects file. The likely attack vector is social engineering in which a user receives and opens a file from an untrusted source, triggering the memory corruption and code execution. Because the flaw is triggered only during file parsing, remote exploitation without user action is not feasible.

Generated by OpenCVE AI on April 17, 2026 at 20:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Adobe After Effects to the latest release (version 25.7 or newer) to remove the vulnerability.
  • Avoid opening or importing files from untrusted or unknown sources in After Effects.
  • Stay informed about Adobe security advisories and apply any subsequent patches promptly.

Generated by OpenCVE AI on April 17, 2026 at 20:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Microsoft
Microsoft windows
CPEs cpe:2.3:a:adobe:after_effects:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Microsoft
Microsoft windows

Tue, 10 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe after Effects
Vendors & Products Adobe
Adobe after Effects

Tue, 10 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description After Effects versions 25.6 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title After Effects | Out-of-bounds Write (CWE-787)
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Adobe After Effects
Apple Macos
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-02-26T14:44:35.871Z

Reserved: 2025-12-12T22:01:18.194Z

Link: CVE-2026-21328

cve-icon Vulnrichment

Updated: 2026-02-25T15:42:18.411Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T18:16:30.680

Modified: 2026-02-11T17:35:50.863

Link: CVE-2026-21328

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:45:25Z

Weaknesses