CVE-2026-21330
Published: 10 February 2026
Summary
CVE-2026-21330 is a high-severity Type Confusion (CWE-843) vulnerability in Adobe After Effects. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 1.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-5 (Security Alerts, Advisories, and Directives).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the type confusion vulnerability in Adobe After Effects by requiring timely identification, reporting, and application of vendor security patches.
Ensures receipt, dissemination, and implementation of security advisories like Adobe's APSB26-15 bulletin addressing this CVE and its patch.
Detects vulnerable After Effects installations through vulnerability scanning and enforces timely updates to mitigate the risk of exploitation via malicious files.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Type confusion in client app enables arbitrary code exec via crafted file opened by user (T1204.002), directly matching Exploitation for Client Execution (T1203).
NVD Description
After Effects versions 25.6 and earlier are affected by an Access of Resource Using Incompatible Type ('Type Confusion') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction…
more
in that a victim must open a malicious file.
Deeper analysisAI
CVE-2026-21330 is a Type Confusion vulnerability (CWE-843), specifically an Access of Resource Using Incompatible Type error, affecting Adobe After Effects versions 25.6 and earlier. This flaw allows arbitrary code execution in the context of the current user. The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high impact with low attack complexity but requiring local access and user interaction.
Exploitation requires an attacker to trick a victim into opening a malicious file within After Effects, as user interaction is mandatory. No privileges are needed (PR:N), enabling any local attacker with the ability to deliver a crafted file—such as via email, shared drives, or social engineering—to achieve full arbitrary code execution. This grants high confidentiality, integrity, and availability impacts on the affected system without changing scope.
Adobe's security bulletin APSB26-15, detailed at https://helpx.adobe.com/security/products/after_effects/apsb26-15.html, provides information on mitigation, including available patches for affected versions. Security practitioners should prioritize updating After Effects to the latest version and advise users against opening untrusted files.
Details
- CWE(s)