CVE-2026-21346
Published: 10 February 2026
Summary
CVE-2026-21346 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Adobe Bridge. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 12.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the out-of-bounds write vulnerability by requiring the application of vendor-provided patches as detailed in Adobe's security bulletin APSB26-21.
Implements memory protection mechanisms like DEP and ASLR that hinder reliable exploitation of the out-of-bounds write for arbitrary code execution.
Enforces least privilege to limit the impact of user-context code execution, preventing full system compromise if the affected user lacks elevated permissions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds write enables arbitrary code execution triggered by opening a malicious file (local, user-interaction required), directly mapping to client-side exploitation and malicious file user execution.
NVD Description
Bridge versions 15.1.3, 16.0.1 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open…
more
a malicious file.
Deeper analysisAI
CVE-2026-21346 is an out-of-bounds write vulnerability (CWE-787) affecting Adobe Bridge versions 15.1.3, 16.0.1, and earlier. This flaw can lead to arbitrary code execution in the context of the current user. The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for complete confidentiality, integrity, and availability impacts.
Exploitation requires local access and user interaction, specifically a victim opening a malicious file. No privileges are needed (PR:N), and attack complexity is low (AC:L). A successful exploit allows an attacker to execute arbitrary code with the privileges of the user running Bridge, potentially leading to full system compromise if the user has elevated permissions.
Adobe has published security bulletin APSB26-21 with details on the issue and mitigation steps at https://helpx.adobe.com/security/products/bridge/apsb26-21.html. Security practitioners should consult this advisory for patch availability and apply updates to vulnerable Bridge installations promptly.
Details
- CWE(s)