Cyber Posture

CVE-2026-21333

HighLPE

Published: 10 March 2026

Published
10 March 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score 8.6 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0003 8.5th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21333 is a high-severity Untrusted Search Path (CWE-426) vulnerability in Adobe Illustrator. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique DLL Search Order Hijacking (T1038); ranked at the 8.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to DLL Search Order Hijacking (T1038) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the untrusted search path vulnerability by requiring timely patching of affected Adobe Illustrator versions as detailed in APSB26-18.

RA-5 Vulnerability Monitoring and Scanning good match
detect

Enables scanning and identification of vulnerable Illustrator versions exposed to CVE-2026-21333 untrusted search path flaw.

SI-3 Malicious Code Protection partial match
preventdetect

Deploys malicious code protection to scan and block arbitrary code execution from malicious DLLs loaded via untrusted search paths when opening files.

MITRE ATT&CK Enterprise TechniquesAI

T1038 DLL Search Order Hijacking Persistence
Windows systems use a common method to look for required DLLs to load into a program.
attack.mitre.org →
T1574.002 DLL Side-Loading Stealth
Adversaries may execute their own malicious payloads by side-loading DLLs.
attack.mitre.org →
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
attack.mitre.org →
Why these techniques?

Untrusted Search Path (CWE-426) directly enables DLL Search Order Hijacking / Side-Loading (T1038/T1574.002) upon user opening a malicious file (T1204.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Illustrator versions 29.8.4, 30.1 and earlier are affected by an Untrusted Search Path vulnerability that might allow attackers to execute arbitrary code in the context of the current user. Exploitation of this issue requires user interaction in that a victim…

more

must open a malicious file.

Deeper analysisAI

CVE-2026-21333 is an Untrusted Search Path vulnerability (CWE-426) affecting Adobe Illustrator versions 29.8.4, 30.1, and earlier. Published on 2026-03-10T23:16:43.400, the issue carries a CVSS v3.1 base score of 8.6 (AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). It might allow attackers to execute arbitrary code in the context of the current user upon opening a malicious file.

The attack requires local access with low complexity and no attacker privileges, but depends on user interaction as the victim must open a malicious file. Successful exploitation enables arbitrary code execution under the current user's context, with high impacts to confidentiality, integrity, and availability, amplified by a change in scope.

Adobe's security bulletin APSB26-18, available at https://helpx.adobe.com/security/products/illustrator/apsb26-18.html, details mitigations and patches for this vulnerability.

Details

CWE(s)
CWE-426

Affected Products

adobe
illustrator
29.0 — 29.8.5 · 30.0 — 30.2

CVEs Like This One

CVE-2026-27267Same product: Adobe Illustrator
CVE-2026-27272Same product: Adobe Illustrator
CVE-2026-27271Same product: Adobe Illustrator
CVE-2026-21362Same product: Adobe Illustrator
CVE-2025-27167Same product: Adobe Illustrator
CVE-2026-21280Same product: Adobe Illustrator
CVE-2026-27290Same product: Microsoft Windows
CVE-2025-21160Same product: Adobe Illustrator
CVE-2026-34618Same product: Adobe Illustrator
CVE-2025-21159Same product: Adobe Illustrator

References