Description
After Effects versions 26.0, 25.6.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-05-12
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An out-of-bounds write in Adobe After Effects allows a malicious document to overwrite memory, which can be leveraged to run arbitrary code under the victim’s user context. The vulnerability exists in versions 26.0, 25.6.4, and older releases. Because the flaw requires the user to open a crafted file, exploitation depends on user interaction. If successful, an attacker could gain control over the affected system, execute arbitrary commands, or install malware.

Affected Systems

Adobe After Effects 26.0, 25.6.4, and all older versions.

Risk and Exploitability

The CVSS score of 7.8 denotes high risk; the absence of an EPSS score means no current exploit probability is reported, and the vulnerability is not listed in CISA's KEV catalog. Attackers must convince a user to open a malicious file, so exploitation requires user interaction. If the attack succeeds, the attacker can execute code with the user's privileges. The high severity combined with the need for user action suggests a moderate to high exploitation likelihood in environments where users routinely open untrusted files.

Generated by OpenCVE AI on May 12, 2026 at 19:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Adobe's latest After Effects patch or upgrade to a non‑vulnerable release as published on Adobe's security advisory.
  • Avoid opening suspicious or unknown After Effects project files; verify file authenticity before opening.
  • Restrict user permissions so that users do not run After Effects with administrative rights and enforce application whitelisting to block unauthorized executables.

Generated by OpenCVE AI on May 12, 2026 at 19:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe after Effects
Vendors & Products Adobe
Adobe after Effects

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description After Effects versions 26.0, 25.6.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title After Effects | Out-of-bounds Write (CWE-787)
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Adobe After Effects
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-05-12T17:19:02.278Z

Reserved: 2026-03-30T17:30:36.492Z

Link: CVE-2026-34643

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-12T18:17:10.707

Modified: 2026-05-12T18:55:27.190

Link: CVE-2026-34643

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T20:30:23Z

Weaknesses