Description
Illustrator versions 29.8.6, 30.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-05-12
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Adobe Illustrator versions 29.8.6, 30.3, and earlier contain an out-of-bounds write flaw that can be triggered by processing a specially crafted document. The flaw allows memory corruption, which may lead to arbitrary code execution with the privileges of the current user. The vulnerability is classified as CWE‑787 and its CVSS score of 7.8 indicates a high severity with the potential for significant confidentiality, integrity, and availability impact.

Affected Systems

Adobe Illustrator, versions 29.8.6, 30.3, and all earlier releases.

Risk and Exploitability

The flaw is not listed in CISA’s KEV catalog and its EPSS score is not available; however, the CVSS rating of 7.8 signals a severe potential risk. Exploitation requires user interaction; an attacker must supply a malicious .ai file and persuade the victim to open it. The attack vector is therefore a file‑based, user‑initiated exploit that leverages the document parsing routine to corrupt memory.

Generated by OpenCVE AI on May 12, 2026 at 20:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Adobe Illustrator update that includes the fix (Adobe APSB26‑51).
  • Avoid opening Illustrator files from untrusted or unknown sources, and verify file integrity before opening.
  • Monitor systems for abnormal activity such as unexpected process creation or privilege escalation that could indicate exploitation of this flaw.

Generated by OpenCVE AI on May 12, 2026 at 20:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe illustrator
Apple
Apple macos
Microsoft
Microsoft windows
CPEs cpe:2.3:a:adobe:illustrator:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Adobe
Adobe illustrator
Apple
Apple macos
Microsoft
Microsoft windows

Tue, 12 May 2026 18:15:00 +0000

Type Values Removed Values Added
Description Illustrator versions 29.8.6, 30.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Illustrator | Out-of-bounds Write (CWE-787)
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Adobe Illustrator
Apple Macos
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-05-13T09:59:11.228Z

Reserved: 2026-03-30T17:30:36.493Z

Link: CVE-2026-34661

cve-icon Vulnrichment

Updated: 2026-05-13T09:57:21.454Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T18:17:10.980

Modified: 2026-05-12T19:14:53.157

Link: CVE-2026-34661

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T23:30:26Z

Weaknesses