Cyber Resilience

CVE-2026-34644

High

Published: 12 May 2026

Published
12 May 2026
Modified
13 May 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0003 8.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34644 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Adobe After Effects. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 8.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

After Effects versions 26.0, 25.6.4 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a…

more

victim must open a malicious file.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Integer overflow in client app leads to arbitrary code exec on open of malicious file, directly enabling T1203 (client exploitation) and T1204.002 (malicious file execution).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-34642Same product: Adobe After Effects
CVE-2026-34643Same product: Adobe After Effects
CVE-2026-34640Same vendor: Adobe
CVE-2026-21321Same product: Adobe After Effects
CVE-2026-21353Same vendor: Adobe
CVE-2026-34629Same vendor: Adobe
CVE-2025-27181Same vendor: Adobe
CVE-2026-34682Same vendor: Adobe
CVE-2026-34681Same vendor: Adobe
CVE-2026-21352Same vendor: Adobe

Affected Assets

adobe
after effects
26.0 · ≤ 25.6.5

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References