Cyber Posture

CVE-2026-27298

High

Published: 14 April 2026

Published
14 April 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0003 7.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27298 is a high-severity Type Confusion (CWE-843) vulnerability in Adobe Framemaker. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 7.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly addresses the type confusion vulnerability by requiring timely installation of patches for affected Adobe Framemaker versions as per the vendor advisory.

SI-16 Memory Protection partial match
prevent

Implements memory safeguards like ASLR and DEP that mitigate exploitation of type confusion flaws for arbitrary code execution.

SI-3 Malicious Code Protection partial match
preventdetect

Malicious code protection scans and blocks malicious Framemaker files exploiting this vulnerability before or during user interaction.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
attack.mitre.org →
Why these techniques?

Type confusion in FrameMaker file parsing is directly triggered by opening a crafted malicious document (T1204.002), resulting in arbitrary code execution in a client application (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Adobe Framemaker versions 2022.8 and earlier are affected by an Access of Resource Using Incompatible Type ('Type Confusion') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction…

more

in that a victim must open a malicious file.

Deeper analysisAI

CVE-2026-27298 is an Access of Resource Using Incompatible Type ('Type Confusion') vulnerability, classified under CWE-843, affecting Adobe Framemaker versions 2022.8 and earlier. This flaw could result in arbitrary code execution in the context of the current user. The vulnerability received a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and was published on 2026-04-14T23:16:26.930.

Exploitation requires user interaction, specifically a victim opening a malicious file. An attacker with local access and no privileges can craft and deliver such a file, achieving arbitrary code execution with high confidentiality, integrity, and availability impacts upon the victim's interaction.

Adobe's security advisory at https://helpx.adobe.com/security/products/framemaker/apsb26-36.html provides information on mitigation measures for this vulnerability.

Details

CWE(s)
CWE-843

Affected Products

adobe
framemaker
≤ 2022.9

CVEs Like This One

CVE-2026-27295Same product: Adobe Framemaker
CVE-2026-27297Same product: Adobe Framemaker
CVE-2026-27293Same product: Adobe Framemaker
CVE-2026-27296Same product: Adobe Framemaker
CVE-2026-27292Same product: Adobe Framemaker
CVE-2026-27294Same product: Adobe Framemaker
CVE-2026-21330Same product: Microsoft Windows
CVE-2026-27290Same product: Adobe Framemaker
CVE-2026-27267Same product: Microsoft Windows
CVE-2026-27272Same product: Microsoft Windows

References