Description
Illustrator versions 29.8.4, 30.1 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-03-10
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution
Action: Patch Now
AI Analysis

Impact

Illustrator 29.8.4, 30.1, and earlier contain a heap‑based buffer overflow that can lead to arbitrary code execution when a user opens a crafted file. The flaw allows an attacker to corrupt memory on the heap, potentially executing arbitrary instructions in the context of the current user. The exploitation vector requires user interaction – the victim must open a malicious graphic file.

Affected Systems

Adobe Illustrator installations that run on Microsoft Windows users of versions 29.8.4, 30.1, and earlier are affected; these versions are present on Windows desktops and workstations.

Risk and Exploitability

The vulnerability has a CVSS score of 7.8, indicating high severity. The EPSS probability is below 1 %, suggesting that exploitation is unlikely but not impossible. Because the vector requires the victim to open a malicious file, the primary risk is malicious social‑engineering or phishing campaigns. The flaw is not listed in CISA’s KEV catalog, so no widespread known exploits have been reported. The risk remains moderate, primarily due to the need for user interaction.

Generated by OpenCVE AI on April 16, 2026 at 03:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the Adobe Illustrator security update published in APSB26-18 to eliminate the heap‑based buffer overflow.
  • Restrict or monitor the opening of unknown or suspicious files; use email attachment scanning to block malicious graphics.
  • Run Adobe Illustrator with the lowest possible user privileges or in a sandboxed environment to limit the impact of potential exploitation.

Generated by OpenCVE AI on April 16, 2026 at 03:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft
Microsoft windows
CPEs cpe:2.3:a:adobe:illustrator:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows

Wed, 11 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe illustrator
Vendors & Products Adobe
Adobe illustrator

Tue, 10 Mar 2026 23:15:00 +0000

Type Values Removed Values Added
Description Illustrator versions 29.8.4, 30.1 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Illustrator | Heap-based Buffer Overflow (CWE-122)
Weaknesses CWE-122
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Adobe Illustrator
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-03-11T13:08:15.042Z

Reserved: 2026-02-18T22:02:41.387Z

Link: CVE-2026-27271

cve-icon Vulnrichment

Updated: 2026-03-11T13:01:52.195Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T23:16:44.257

Modified: 2026-03-11T17:11:22.460

Link: CVE-2026-27271

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:15:22Z

Weaknesses