Description
Illustrator versions 29.8.6, 30.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-05-12
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Adobe Illustrator versions 29.8.6, 30.3 and all earlier releases contain a heap‑based buffer overflow that can be triggered by a specially crafted file. When an affected user opens such a file, the overflow can allow arbitrary code to run with the permissions of that user. This vulnerability falls under CWE‑122 and represents a high severity flaw as it can compromise confidentiality, integrity, and availability of the victim’s system.

Affected Systems

Vulnerable systems are those running Adobe Illustrator 29.8.6, 30.3, or any earlier version of the product. The vulnerability does not affect later releases beyond 30.3.

Risk and Exploitability

The cited CVSS score of 7.8 classifies this as high, indicating significant potential damage. Although the EPSS score is not available, the vulnerability requires user interaction – the user must deliberately open a malicious file – which reduces its exploitability in unattended environments but still poses a serious risk in typical office settings. The issue is not listed in the CISA KEV catalog, suggesting that it is not a known, actively exploited vulnerability at this time, but its high impact warrants immediate concern for any user with access to Illustrator.

Generated by OpenCVE AI on May 12, 2026 at 19:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Adobe Illustrator update that resolves the heap overflow, as detailed in Adobe's security advisory.
  • Configure the operating system or file manager to display a prompt before opening Illustrator files, preventing automatic execution of unknown documents.
  • Integrate antivirus or sandboxing solutions that scan or isolate Illustrator files before they can be processed, reducing the risk of a malicious file executing code.

Generated by OpenCVE AI on May 12, 2026 at 19:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe illustrator
Apple
Apple macos
Microsoft
Microsoft windows
CPEs cpe:2.3:a:adobe:illustrator:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Adobe
Adobe illustrator
Apple
Apple macos
Microsoft
Microsoft windows

Tue, 12 May 2026 18:15:00 +0000

Type Values Removed Values Added
Description Illustrator versions 29.8.6, 30.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title Illustrator | Heap-based Buffer Overflow (CWE-122)
Weaknesses CWE-122
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Adobe Illustrator
Apple Macos
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-05-13T09:58:56.778Z

Reserved: 2026-03-30T17:30:36.496Z

Link: CVE-2026-34687

cve-icon Vulnrichment

Updated: 2026-05-13T09:57:16.938Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T18:17:11.630

Modified: 2026-05-12T19:13:32.743

Link: CVE-2026-34687

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T00:30:28Z

Weaknesses