Description
After Effects versions 26.0, 25.6.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-05-12
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

After Effects versions 26.0, 25.6.4 and earlier contain a heap-based buffer overflow that allows an attacker to execute arbitrary code within the context of the currently logged‑in user. The flaw arises when processing a maliciously crafted file and can compromise confidentiality, integrity, and availability of the user’s data and the system as a whole. The weakness is classified as CWE‑122.

Affected Systems

Adobe After Effects, including all releases up to and including 26.0 and 25.6.4. Users running these affected versions are vulnerable and must update to a later release that removes the heap overflow.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity potential for exploitation. No EPSS value is available, leaving the precise likelihood uncertain, but the issue is not listed in the CISA KEV catalog at this time. Based on the description, the attack vector requires a victim to open a malicious file, so the vulnerability is exploitable through user interaction, typically via social engineering or malicious media files. If executed, an attacker can gain code execution authority within the user’s session, potentially leading to system compromise.

Generated by OpenCVE AI on May 12, 2026 at 19:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Adobe After Effects update that resolves the heap-based buffer overflow.
  • Configure the system to block automatic opening of unknown or suspicious file types in After Effects.
  • Apply application whitelisting policies to ensure only approved Adobe binaries can execute.

Generated by OpenCVE AI on May 12, 2026 at 19:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe after Effects
Vendors & Products Adobe
Adobe after Effects

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description After Effects versions 26.0, 25.6.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title After Effects | Heap-based Buffer Overflow (CWE-122)
Weaknesses CWE-122
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Adobe After Effects
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-05-13T03:58:08.169Z

Reserved: 2026-03-30T17:30:36.492Z

Link: CVE-2026-34642

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-12T18:17:10.583

Modified: 2026-05-12T18:55:27.190

Link: CVE-2026-34642

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T19:45:15Z

Weaknesses