Description
After Effects versions 25.6 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-02-10
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution
Action: Immediate Patch
AI Analysis

Impact

A Use After Free flaw in Adobe After Effects versions 25.6 and earlier could allow an attacker to cause the application to execute arbitrary code while a user opens a malicious file. The vulnerability is a classic heap‑memory error that results in a local privilege escalation within the user context. An attacker who succeeds can run code as the victim with the same permissions as the user.

Affected Systems

The issue affects Adobe After Effects on all platforms, including macOS, Windows, and potentially other operating systems supported by the application. Any installation of After Effects version 25.6 or older is vulnerable, regardless of operating system version.

Risk and Exploitability

The CVSS base score of 7.8 reflects a moderate to high severity, while the EPSS score of less than 1% indicates a very low probability of exploitation at this time. The vulnerability requires user interaction in that the victim must open a crafted file, limiting remote exploitation. Because it is not currently listed in CISA’s KEV catalog, no widespread active exploitation has been documented. Nevertheless, the combination of high impact and the need for user action means it remains a high risk for environments where users may unknowingly open malicious media.

Generated by OpenCVE AI on April 17, 2026 at 20:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Adobe After Effects to the latest available release, which removes the Use After Free flaw.
  • Deploy the update consistently across all workstations that run After Effects.
  • Establish strict policies to prevent users from opening untrusted files, such as disabling drag‑and‑drop or using file‑type whitelisting.

Generated by OpenCVE AI on April 17, 2026 at 20:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Microsoft
Microsoft windows
CPEs cpe:2.3:a:adobe:after_effects:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Microsoft
Microsoft windows

Tue, 10 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe after Effects
Vendors & Products Adobe
Adobe after Effects

Tue, 10 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description After Effects versions 25.6 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title After Effects | Use After Free (CWE-416)
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Adobe After Effects
Apple Macos
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-02-26T14:44:37.709Z

Reserved: 2025-12-12T22:01:18.204Z

Link: CVE-2026-21351

cve-icon Vulnrichment

Updated: 2026-02-25T15:42:33.392Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T18:16:32.553

Modified: 2026-02-11T17:29:31.673

Link: CVE-2026-21351

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:45:25Z

Weaknesses