Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Local malicious-file vector (AV:L) needing victim to open the file (UI:R), no privileges (PR:N), with memory-corruption code execution yielding full C/I/A impact.
Primary rating from Vendor (adobe).
CVSS VectorVendor: adobe
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Media Encoder is affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
AnalysisAI
Arbitrary code execution in Adobe Media Encoder arises from an out-of-bounds write (CWE-787) that lets a crafted media file corrupt memory and run attacker-controlled code in the context of the current user. Any user who opens a malicious file in the affected desktop application is at risk, with full loss of confidentiality, integrity, and availability on the host. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires user interaction: a victim must open (or import/queue) an attacker-supplied malicious media file in Adobe Media Encoder on the local host - this is the exact prerequisite stated in the description and reflected by AV:L/UI:R in the CVSS vector. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score is 7.8 (High) with vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - meaning local vector, low complexity, no privileges, but mandatory user interaction, yielding high impact across all three security properties. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious media project or asset file that triggers the out-of-bounds write and delivers it via email, a shared drive, or a download disguised as legitimate footage. When a video/media professional opens or imports the file in Adobe Media Encoder, memory corruption executes attacker-controlled code with that user's privileges. … |
| Remediation | Patch available per vendor advisory: apply the fixed version of Adobe Media Encoder distributed by Adobe as described in bulletin APSB26-72 (https://helpx.adobe.com/security/products/media-encoder/apsb26-72.html); the exact fixed build number is not included in the provided data and should be taken directly from that advisory, then deployed via the Creative Cloud desktop app or Adobe's admin/enterprise update channels. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all Adobe Media Encoder installations across the organization and communicate to users to avoid opening media files from untrusted sources. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Adobe Media Encoder
View allArbitrary code execution in Adobe Media Encoder arises from a stack-based buffer overflow (CWE-121) triggered when a vic
Arbitrary code execution in Adobe Media Encoder is possible through an out-of-bounds write triggered when a victim opens
Arbitrary code execution in Adobe Media Encoder is possible when a victim opens a maliciously crafted media file, trigge
Media Encoder is affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An a
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44508
GHSA-9mp5-882h-8w67