CVE-2026-21318
Published: 10 February 2026
Summary
CVE-2026-21318 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Adobe After Effects. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 2.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely remediation of the out-of-bounds write vulnerability in After Effects through application of vendor security patches as recommended in Adobe APSB26-15.
Memory protection mechanisms like ASLR and DEP mitigate successful arbitrary code execution from the out-of-bounds write even if the software remains unpatched.
Vulnerability scanning identifies systems with vulnerable After Effects versions (25.6 and earlier), enabling prioritization and remediation of this specific CVE.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds write enables client-side arbitrary code execution via malicious file opened by user (T1203 Exploitation for Client Execution and T1204.002 Malicious File).
NVD Description
After Effects versions 25.6 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open…
more
a malicious file.
Deeper analysisAI
CVE-2026-21318 is an out-of-bounds write vulnerability (CWE-787) affecting Adobe After Effects versions 25.6 and earlier. This flaw could lead to arbitrary code execution in the context of the current user when processing malicious files. The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.
Exploitation requires local access and user interaction, specifically tricking a victim into opening a malicious file with the vulnerable After Effects software. No special privileges are needed (PR:N), and the attack complexity is low (AC:L). Successful exploitation allows an attacker to execute arbitrary code with the privileges of the current user, potentially enabling full system compromise on the affected machine.
Adobe's security bulletin APSB26-15, available at https://helpx.adobe.com/security/products/after_effects/apsb26-15.html, provides details on the vulnerability and recommends mitigation through applying the latest security updates to After Effects. Security practitioners should advise users to update to a patched version and avoid opening untrusted files.
Details
- CWE(s)