Description
After Effects versions 25.6 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to crash the application, causing disruption to services. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-02-10
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

After Effects versions up to and including 25.6 contain a null pointer dereference that, when triggered by a malicious file, can cause the application to crash. The vulnerability is identified as CWE-476 and does not provide remote code execution but results in an application denial of service and potential loss of unsaved work.

Affected Systems

Adobe After Effects users on Apple macOS and Microsoft Windows are impacted. All builds of version 25.6 and earlier are vulnerable; any installation not updated past 25.6 is considered at risk.

Risk and Exploitability

The CVSS score of 5.5 reflects moderate risk while an EPSS score of less than 1% indicates a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog, suggesting no known active exploits. Exploitation requires a victim to open a crafted file, so the threat is limited to users handling untrusted media files, but the attack path is simple and does not need elevated privileges.

Generated by OpenCVE AI on April 18, 2026 at 12:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Adobe’s patch that updates After Effects to version 25.7 or later, which fixes the null pointer dereference flaw.
  • Update all other Adobe Creative Cloud applications to their latest releases to protect other components that may interact with After Effects.
  • Restrict the opening of untrusted media files by disabling automatic file handling or using document protection policies in the operating system.

Generated by OpenCVE AI on April 18, 2026 at 12:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Microsoft
Microsoft windows
CPEs cpe:2.3:a:adobe:after_effects:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Microsoft
Microsoft windows

Wed, 11 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe after Effects
Vendors & Products Adobe
Adobe after Effects

Tue, 10 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description After Effects versions 25.6 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to crash the application, causing disruption to services. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title After Effects | NULL Pointer Dereference (CWE-476)
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Adobe After Effects
Apple Macos
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-02-11T15:20:03.347Z

Reserved: 2025-12-12T22:01:18.204Z

Link: CVE-2026-21350

cve-icon Vulnrichment

Updated: 2026-02-11T15:19:56.691Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T18:16:32.403

Modified: 2026-02-11T17:29:51.313

Link: CVE-2026-21350

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:00:08Z

Weaknesses