Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Local file-open exploitation (AV:L, UI:R) needs no prior privileges (PR:N) and yields full user-context code execution, giving high C/I/A with unchanged scope.
Primary rating from Vendor (adobe).
CVSS VectorVendor: adobe
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Media Encoder is affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
AnalysisAI
Arbitrary code execution in Adobe Media Encoder is possible when a victim opens a maliciously crafted media file, triggering an out-of-bounds write (CWE-787) that runs attacker code in the context of the current user. The flaw is local and requires user interaction, so it is not remotely wormable, but successful exploitation grants full compromise of the user's session. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to open a malicious, attacker-crafted media/container file in Adobe Media Encoder on the local machine - that user interaction (CVSS UI:R) is the mandatory trigger, and there is no remote or unauthenticated network path. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score is 7.8 (High) with vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - local attack vector, low complexity, no privileges, but required user interaction, with high confidentiality/integrity/availability impact and unchanged scope. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious media or project file that triggers the out-of-bounds write and delivers it via email, a shared drive, or a compromised asset library used by a video/production team. When an editor opens or imports the file in Adobe Media Encoder, the corrupted memory operation hijacks execution and runs the attacker's payload with that user's privileges. … |
| Remediation | Patch available per vendor advisory (APSB26-72): update Adobe Media Encoder to the fixed version listed by Adobe, distributed through the Creative Cloud desktop application, and consult https://helpx.adobe.com/security/products/media-encoder/apsb26-72.html for the exact patched build number (the input does not include a specific fixed version string, so use the version named in that advisory rather than an assumed number). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all systems running Adobe Media Encoder and restrict user ability to open media files from untrusted sources; provide users with clear guidance to avoid opening suspicious media files and establish a reporting protocol for suspicious behavior. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Adobe Media Encoder
View allArbitrary code execution in Adobe Media Encoder arises from a stack-based buffer overflow (CWE-121) triggered when a vic
Arbitrary code execution in Adobe Media Encoder is possible through an out-of-bounds write triggered when a victim opens
Arbitrary code execution in Adobe Media Encoder arises from an out-of-bounds write (CWE-787) that lets a crafted media f
Media Encoder is affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An a
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44445
GHSA-vmgv-gqvj-7p7g