Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
File-open exploitation gives local vector and UI:R; no attacker privileges needed (PR:N); arbitrary code execution as current user yields high C/I/A with unchanged scope.
Primary rating from Vendor (adobe).
CVSS VectorVendor: adobe
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Media Encoder is affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
AnalysisAI
Arbitrary code execution in Adobe Media Encoder is possible through an out-of-bounds write triggered when a victim opens a maliciously crafted media file, running attacker code in the context of the current user. The flaw was reported by Adobe and is addressed in advisory APSB26-72; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that a victim open or import a specifically crafted malicious file in Adobe Media Encoder (UI:R) - this user interaction is the essential precondition. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score is 7.8 (High) with vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - meaning local attack vector, low complexity, no privileges required, but mandatory user interaction, with high impact across C/I/A. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious media or project file that triggers the out-of-bounds write and distributes it to a target (e.g., as a client deliverable, shared asset, or email attachment). When the victim opens or imports the file in Adobe Media Encoder, memory corruption is triggered and attacker-supplied code executes with the victim's privileges. … |
| Remediation | Apply the update referenced in Adobe security advisory APSB26-72 (https://helpx.adobe.com/security/products/media-encoder/apsb26-72.html) - Patch available per vendor advisory; the exact fixed version is not specified in the provided data, so obtain the target build directly from that advisory or via the Creative Cloud desktop app's update mechanism. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory all systems running Adobe Media Encoder across the organization and disable the application on non-essential machines; notify media production and creative teams of the vulnerability and instruct them to reject media files from unexpected senders. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Adobe Media Encoder
View allArbitrary code execution in Adobe Media Encoder arises from a stack-based buffer overflow (CWE-121) triggered when a vic
Arbitrary code execution in Adobe Media Encoder is possible when a victim opens a maliciously crafted media file, trigge
Arbitrary code execution in Adobe Media Encoder arises from an out-of-bounds write (CWE-787) that lets a crafted media f
Media Encoder is affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An a
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44446
GHSA-g3xr-8x2q-36jr