Description
After Effects versions 25.6 and earlier are affected by an Access of Resource Using Incompatible Type ('Type Confusion') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-02-10
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Adobe After Effects versions 25.6 and earlier contain a type confusion flaw (CWE‑843) that allows an attacker to execute arbitrary code in the context of the current user. The vulnerability is triggered when a maliciously crafted project file is opened, leading the application to treat an incompatible data type and write unintended data, thereby granting code execution privileges.

Affected Systems

The flaw affects all installations of Adobe After Effects version 25.6 and older on macOS and Windows platforms. Any user running these versions who opens a malicious or tampered After Effects file is susceptible to exploitation.

Risk and Exploitability

With a CVSS score of 7.8 the vulnerability is classified as high severity, and the EPSS score of less than 1 percent suggests a low but non‑zero probability of exploitation in the wild. Exploitation requires user interaction to open a malicious file, making social engineering or targeted attacks the most likely vectors. The vulnerability is not currently listed in the CISA KEV catalog, but it remains a known risk until the published update is applied.

Generated by OpenCVE AI on April 17, 2026 at 20:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Adobe After Effects update (version 25.7 or later) that addresses the type‑confusion vulnerability.
  • Educate users to avoid opening unfamiliar files and to verify the source before opening them.
  • Deploy reputable security software that scans attachments and blocks malicious file types before they reach After Effects.

Generated by OpenCVE AI on April 17, 2026 at 20:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Microsoft
Microsoft windows
CPEs cpe:2.3:a:adobe:after_effects:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Microsoft
Microsoft windows

Tue, 10 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe after Effects
Vendors & Products Adobe
Adobe after Effects

Tue, 10 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description After Effects versions 25.6 and earlier are affected by an Access of Resource Using Incompatible Type ('Type Confusion') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title After Effects | Access of Resource Using Incompatible Type ('Type Confusion') (CWE-843)
Weaknesses CWE-843
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Adobe After Effects
Apple Macos
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-02-26T14:44:36.164Z

Reserved: 2025-12-12T22:01:18.194Z

Link: CVE-2026-21330

cve-icon Vulnrichment

Updated: 2026-02-25T15:42:20.528Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T18:16:30.990

Modified: 2026-02-11T17:39:42.610

Link: CVE-2026-21330

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:45:25Z

Weaknesses