Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Local file-open attack requiring victim interaction (AV:L/UI:R), no attacker privileges needed to craft the file (PR:N), and code execution yields full C/I/A impact.
Primary rating from Vendor (adobe).
CVSS VectorVendor: adobe
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Bridge is affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
AnalysisAI
Arbitrary code execution in Adobe Bridge arises from an integer overflow (CWE-190) triggered when a victim opens a maliciously crafted file, allowing an attacker to run code in the context of the current user. The flaw is local and requires user interaction, carrying a CVSS 7.8 (High) score. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that a victim running Adobe Bridge opens (or previews) an attacker-crafted malicious file - this user interaction is mandatory (CVSS UI:R) and is the primary limiting factor. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, 7.8 High) frames this as a client-side, local attack: exploitation is not remote-over-network but requires the victim to open an attacker-supplied file, which is why the vector is AV:L with UI:R despite PR:N. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious asset file (e.g., an image or media file) whose header values trigger the integer overflow in Bridge's parser, then delivers it via email, a shared drive, or a download disguised as a legitimate creative asset. When the victim opens or previews the file in Adobe Bridge, the overflow corrupts memory and executes attacker-controlled code with the victim's privileges. … |
| Remediation | Apply the vendor update: consult Adobe security bulletin APSB26-81 (https://helpx.adobe.com/security/products/bridge/apsb26-81.html) and upgrade Adobe Bridge to the fixed release listed there via the Creative Cloud desktop application's update mechanism - the exact fixed version is defined in that advisory and was not included in the provided data, so it should be taken directly from Adobe. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all Adobe Bridge deployments in your environment and assess whether users routinely open files from untrusted or external sources. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Adobe Bridge
View allArbitrary code execution in Adobe Bridge allows an attacker to run code in the context of the current user by tricking a
Arbitrary code execution in Adobe Bridge is possible through an out-of-bounds write (CWE-787) triggered when a victim op
Arbitrary code execution in Adobe Bridge is possible when a victim opens a maliciously crafted file that triggers a heap
Arbitrary code execution in Adobe Bridge results from an out-of-bounds write (CWE-787) that a victim triggers by opening
Arbitrary code execution in Adobe Bridge is possible when a victim opens a maliciously crafted file, triggering an out-o
Same weakness CWE-190 – Integer Overflow or Wraparound
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44496
GHSA-8p4v-4472-qp82