Skip to main content

Adobe Media Encoder CVE-2026-48370

| EUVDEUVD-2026-44508 HIGH
Out-of-bounds Write (CWE-787)
2026-07-14 adobe GHSA-9mp5-882h-8w67
7.8
CVSS 3.1 · Vendor: adobe
Share

Severity by source

Vendor (adobe) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local malicious-file vector (AV:L) needing victim to open the file (UI:R), no privileges (PR:N), with memory-corruption code execution yielding full C/I/A impact.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (adobe).

CVSS VectorVendor: adobe

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 21:14 vuln.today
CVE Published
Jul 14, 2026 - 19:58 cve.org
HIGH 7.8

DescriptionCVE.org

Media Encoder is affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

AnalysisAI

Arbitrary code execution in Adobe Media Encoder arises from an out-of-bounds write (CWE-787) that lets a crafted media file corrupt memory and run attacker-controlled code in the context of the current user. Any user who opens a malicious file in the affected desktop application is at risk, with full loss of confidentiality, integrity, and availability on the host. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious media file
Delivery
Deliver to victim via email or download
Exploit
Victim opens file in Media Encoder
Execution
Trigger out-of-bounds write in parser
Impact
Execute arbitrary code as current user

Vulnerability AssessmentAI

Exploitation Exploitation requires user interaction: a victim must open (or import/queue) an attacker-supplied malicious media file in Adobe Media Encoder on the local host - this is the exact prerequisite stated in the description and reflected by AV:L/UI:R in the CVSS vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 7.8 (High) with vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - meaning local vector, low complexity, no privileges, but mandatory user interaction, yielding high impact across all three security properties. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious media project or asset file that triggers the out-of-bounds write and delivers it via email, a shared drive, or a download disguised as legitimate footage. When a video/media professional opens or imports the file in Adobe Media Encoder, memory corruption executes attacker-controlled code with that user's privileges. …
Remediation Patch available per vendor advisory: apply the fixed version of Adobe Media Encoder distributed by Adobe as described in bulletin APSB26-72 (https://helpx.adobe.com/security/products/media-encoder/apsb26-72.html); the exact fixed build number is not included in the provided data and should be taken directly from that advisory, then deployed via the Creative Cloud desktop app or Adobe's admin/enterprise update channels. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all Adobe Media Encoder installations across the organization and communicate to users to avoid opening media files from untrusted sources. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-48370 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy