Cyber Resilience

CVE-2026-34640

High

Published: 12 May 2026

Published
12 May 2026
Modified
13 May 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0003 8.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34640 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Adobe Media Encoder. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 8.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Media Encoder versions 26.0.2, 25.6.4 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a…

more

victim must open a malicious file.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Integer overflow enables arbitrary code execution via malicious file opened by victim (client-side exploitation).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-34639Same product: Adobe Media Encoder
CVE-2026-34644Same vendor: Adobe
CVE-2026-21353Same vendor: Adobe
CVE-2026-34629Same vendor: Adobe
CVE-2025-27181Same vendor: Adobe
CVE-2026-34682Same vendor: Adobe
CVE-2026-34681Same vendor: Adobe
CVE-2026-21352Same vendor: Adobe
CVE-2026-21334Same vendor: Adobe
CVE-2026-34675Same vendor: Adobe

Affected Assets

adobe
media encoder
≤ 25.6.5 · 26.0 — 26.2

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References